Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
442.docx.exe

Overview

General Information

Sample name:442.docx.exe
renamed because original name is a hash value
Original sample name: .docx.exe
Analysis ID:1567177
MD5:fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Infos:

Detection

RMSRemoteAdmin
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
AI detected suspicious sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 442.docx.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\442.docx.exe" MD5: FB8117B1A3F0924100FBC209DBBB1BB1)
    • msiexec.exe (PID: 1544 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • WINWORD.EXE (PID: 3336 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • msiexec.exe (PID: 5856 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4960 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 27EB6A3C3744FE0C3070BA0974142203 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • rfusclient.exe (PID: 7596 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi" MD5: CB9BE257064162076EBD4869CD97E166)
    • rutserv.exe (PID: 7732 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 7908 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
  • sppsvc.exe (PID: 1704 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 5968 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rutserv.exe (PID: 8104 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rfusclient.exe (PID: 3688 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" MD5: CB9BE257064162076EBD4869CD97E166)
      • rfusclient.exe (PID: 7512 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
    • rfusclient.exe (PID: 2416 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
    • rutserv.exe (PID: 2088 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
    • 0x3a1d58:$s1: rman_message
    • 0x453340:$s3: rms_host_
    • 0x453cf8:$s3: rms_host_
    • 0x816eb4:$s4: rman_av_capture_settings
    • 0x45a4c4:$s7: _rms_log.txt
    • 0x4bf3c8:$s8: rms_internet_id_settings
    C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
      • 0x39e594:$s1: rman_message
      • 0x46d594:$s3: rms_host_
      • 0x46df4c:$s3: rms_host_
      • 0x82acb0:$s4: rman_av_capture_settings
      • 0x877858:$s5: rman_registry_key
      • 0x8778a4:$s5: rman_registry_key
      • 0x543d6c:$s6: rms_system_information
      • 0x2f1a18:$s7: _rms_log.txt
      • 0x503238:$s8: rms_internet_id_settings

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000002.3578843843.000000000348A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        00000012.00000002.3578746166.000000000351A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          00000013.00000002.3578843843.0000000003458000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
            0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
              00000012.00000002.3578746166.00000000034F6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                10.0.rfusclient.exe.f50000.0.unpackJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                  10.0.rfusclient.exe.f50000.0.unpackMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
                  • 0x3a1d58:$s1: rman_message
                  • 0x453340:$s3: rms_host_
                  • 0x453cf8:$s3: rms_host_
                  • 0x816eb4:$s4: rman_av_capture_settings
                  • 0x45a4c4:$s7: _rms_log.txt
                  • 0x4bf3c8:$s8: rms_internet_id_settings

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\442.docx.exe", CommandLine: "C:\Users\user\Desktop\442.docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\442.docx.exe, NewProcessName: C:\Users\user\Desktop\442.docx.exe, OriginalFileName: C:\Users\user\Desktop\442.docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\442.docx.exe", ProcessId: 6236, ProcessName: 442.docx.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 111.90.147.125, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Initiated: true, ProcessId: 8104, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49871
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5968, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T09:00:05.231772+010028493541Malware Command and Control Activity Detected192.168.2.449874111.90.147.12580TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC845A0 rmsEncInitSimpleEncryption,memcpy,memcpy,10_2_5FC845A0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC83760 rmsEncEncryptData,10_2_5FC83760
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC83D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,10_2_5FC83D30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC838C0 rmsEncDecryptData,10_2_5FC838C0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC842D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,10_2_5FC842D0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC83AE0 rmsEncRsaPublicEncrypt,memcpy,10_2_5FC83AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FC84000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,10_2_5FC84000
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_99a46da1-f

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 10.2.rfusclient.exe.f50000.0.unpack
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000000.1709867810.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmp
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99740BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E99740BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E998B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E998B190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E999FCA0 FindFirstFileExA,0_2_00007FF6E999FCA0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi10_2_60046B90
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then sub esp, 1Ch10_2_6004BEB0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi10_2_60046AD0
                  Source: winword.exeMemory has grown: Private usage: 1MB later: 89MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.4:49874 -> 111.90.147.125:80
                  Source: global trafficTCP traffic: 192.168.2.4:49808 -> 95.213.205.83:5655
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 77.223.124.212:5655
                  Source: global trafficTCP traffic: 192.168.2.4:49869 -> 111.90.147.125:55555
                  Source: global trafficTCP traffic: 192.168.2.4:49872 -> 78.138.9.142:8080
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.223.124.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: global trafficDNS traffic detected: DNS query: id72.internetid.ru
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlmj
                  Source: rutserv.exe, 00000011.00000003.3368896076.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl3A
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl;
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlW
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlc
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl&
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2123815564.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: svchost.exe, 00000006.00000002.3419435266.000001E620C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: rfusclient.exe, 0000000A.00000000.1831381748.0000000000F9F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1954449236.000000007B210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://madExcept.comU
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3612352313.0000000004250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.glob
                  Source: rutserv.exe, 00000011.00000003.2611527049.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45%j
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6N
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crl
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45wi
                  Source: rutserv.exe, 00000011.00000003.2012865832.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
                  Source: rutserv.exe, 00000011.00000003.2611527049.0000000000C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2123815564.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                  Source: rutserv.exe, 00000011.00000003.2013813580.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crl
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/;
                  Source: rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3613496586.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3613496586.00000000045BF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/internet-id/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/nsys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/rd
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/D
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: 442.docx.exe, 00000000.00000003.1734447762.000001AE83505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
                  Source: rfusclient.exe, 0000000A.00000000.1831381748.0000000000F9F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1954449236.000000007B210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2123815564.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade.ini
                  Source: rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
                  Source: rfusclient.exe, 0000000A.00000003.1857706686.0000000000D05000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 0000000A.00000000.1831381748.00000000017AB000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000003.1906989311.0000000004405000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000000.1872421176.00000000018A1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.1932196409.00000000043A5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1986456632.0000000002585000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: rutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                  Source: rutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                  Source: rfusclient.exe, 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000C.00000002.1916978966.0000000060227000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620EB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: rutserv.exe, 00000010.00000002.2013146565.00000000601DF000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: svchost.exe, 00000006.00000003.1769298498.000001E620E82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE8744B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2123815564.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.3368896076.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2013813580.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3573779688.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
                  Source: rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41CJump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 10.0.rfusclient.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E996C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E996C2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3c2b90.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3053.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31DA.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3c2b93.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3c2b93.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3053.tmpJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9981F200_2_00007FF6E9981F20
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E998CE880_2_00007FF6E998CE88
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9965E240_2_00007FF6E9965E24
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E998B1900_2_00007FF6E998B190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997A4AC0_2_00007FF6E997A4AC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99834840_2_00007FF6E9983484
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99749280_2_00007FF6E9974928
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E996F9300_2_00007FF6E996F930
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99907540_2_00007FF6E9990754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A5AF80_2_00007FF6E99A5AF8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9971A480_2_00007FF6E9971A48
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9961AA40_2_00007FF6E9961AA4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9982AB00_2_00007FF6E9982AB0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E999FA940_2_00007FF6E999FA94
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99839640_2_00007FF6E9983964
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997C96C0_2_00007FF6E997C96C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99989A00_2_00007FF6E99989A0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9998C1C0_2_00007FF6E9998C1C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9975B600_2_00007FF6E9975B60
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9984B980_2_00007FF6E9984B98
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997BB900_2_00007FF6E997BB90
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997AF180_2_00007FF6E997AF18
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9988DF40_2_00007FF6E9988DF4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99907540_2_00007FF6E9990754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9982D580_2_00007FF6E9982D58
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A20800_2_00007FF6E99A2080
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E996C2F00_2_00007FF6E996C2F0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E996A3100_2_00007FF6E996A310
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997126C0_2_00007FF6E997126C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99672880_2_00007FF6E9967288
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99821D00_2_00007FF6E99821D0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997F1800_2_00007FF6E997F180
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997B5340_2_00007FF6E997B534
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99853F00_2_00007FF6E99853F0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99676C00_2_00007FF6E99676C0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A25500_2_00007FF6E99A2550
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E999C8380_2_00007FF6E999C838
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99648400_2_00007FF6E9964840
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_6002DC0010_2_6002DC00
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_6003580010_2_60035800
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_6002D62010_2_6002D620
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_600EE26010_2_600EE260
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_600C708010_2_600C7080
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_60035AE010_2_60035AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_5FD3685010_2_5FD36850
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_6002CBD010_2_6002CBD0
                  Source: unires_vpd.dll.2.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: rutserv.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: rfusclient.exe.2.drStatic PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
                  Source: rfusclient.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: unidrvui_rppd.dll0.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: unires_vpd.dll0.2.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: libasset32.dll.2.drStatic PE information: Number of sections : 19 > 10
                  Source: rutserv.exe.2.drStatic PE information: Number of sections : 11 > 10
                  Source: rfusclient.exe.2.drStatic PE information: Number of sections : 11 > 10
                  Source: libcodec32.dll.2.drStatic PE information: Number of sections : 20 > 10
                  Source: unires_vpd.dll0.2.drStatic PE information: No import functions for PE file found
                  Source: unires_vpd.dll.2.drStatic PE information: No import functions for PE file found
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE87583000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE874A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE8752D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1721650604.000001AE875EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 10.0.rfusclient.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: unires_vpd.dll0.2.drStatic PE information: Section .rsrc
                  Source: unires_vpd.dll.2.drStatic PE information: Section .rsrc
                  Source: classification engineClassification label: mal88.evad.winEXE@28/327@1/5
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E996B6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6E996B6D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9988624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF6E9988624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - HostJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\OfficeJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$1fa8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: NULL
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ec4
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$970
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\HookTThread$1fa8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$828
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ee4
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$970
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$e68
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$e68
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d58
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1dac
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e34
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF64FBDC7A7C0C60AC.TMPJump to behavior
                  Source: 442.docx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rfusclient.exeString found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
                  Source: rfusclient.exeString found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Users\user\Desktop\442.docx.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27EB6A3C3744FE0C3070BA0974142203
                  Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27EB6A3C3744FE0C3070BA0974142203Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptsp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rsaenh.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: gpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptnet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winnsi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: webio.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rasadhlp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: textshaping.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dataexchange.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: d3d11.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dcomp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dxgi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Users\user\Desktop\442.docx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Doc.LNK.3.drLNK file: ..\..\..\..\..\..\..\intel\Doc.docx
                  Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.iniJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                  Source: 442.docx.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 442.docx.exeStatic file information: File size 25141051 > 1048576
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000000.1709867810.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmp
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 10.2.rfusclient.exe.f50000.0.unpack
                  Source: C:\Users\user\Desktop\442.docx.exeFile created: C:\intel\__tmp_rar_sfx_access_check_3941062Jump to behavior
                  Source: 442.docx.exeStatic PE information: section name: .didat
                  Source: 442.docx.exeStatic PE information: section name: _RDATA
                  Source: webmvorbisencoder.dll.2.drStatic PE information: section name: _RDATA
                  Source: vp8encoder.dll.2.drStatic PE information: section name: .rodata
                  Source: vp8decoder.dll.2.drStatic PE information: section name: .rodata
                  Source: webmvorbisdecoder.dll.2.drStatic PE information: section name: _RDATA
                  Source: libasset32.dll.2.drStatic PE information: section name: /4
                  Source: libasset32.dll.2.drStatic PE information: section name: /14
                  Source: libasset32.dll.2.drStatic PE information: section name: /29
                  Source: libasset32.dll.2.drStatic PE information: section name: /41
                  Source: libasset32.dll.2.drStatic PE information: section name: /55
                  Source: libasset32.dll.2.drStatic PE information: section name: /67
                  Source: libasset32.dll.2.drStatic PE information: section name: /78
                  Source: libasset32.dll.2.drStatic PE information: section name: /94
                  Source: libasset32.dll.2.drStatic PE information: section name: /110
                  Source: libcodec32.dll.2.drStatic PE information: section name: .rodata
                  Source: libcodec32.dll.2.drStatic PE information: section name: /4
                  Source: libcodec32.dll.2.drStatic PE information: section name: /14
                  Source: libcodec32.dll.2.drStatic PE information: section name: /29
                  Source: libcodec32.dll.2.drStatic PE information: section name: /41
                  Source: libcodec32.dll.2.drStatic PE information: section name: /55
                  Source: libcodec32.dll.2.drStatic PE information: section name: /67
                  Source: libcodec32.dll.2.drStatic PE information: section name: /78
                  Source: libcodec32.dll.2.drStatic PE information: section name: /94
                  Source: libcodec32.dll.2.drStatic PE information: section name: /110
                  Source: eventmsg.dll.2.drStatic PE information: section name: .didata
                  Source: vccorlib120.dll.2.drStatic PE information: section name: minATL
                  Source: rutserv.exe.2.drStatic PE information: section name: .didata
                  Source: rfusclient.exe.2.drStatic PE information: section name: .didata
                  Source: vccorlib120.dll0.2.drStatic PE information: section name: minATL
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A5156 push rsi; retf 0_2_00007FF6E99A5157
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A5166 push rsi; retf 0_2_00007FF6E99A5167
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 10_2_60047E30 push eax; mov dword ptr [esp], esi10_2_60047ED1
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeCode function: 17_2_013AC34B push ebx; ret 17_2_013AC354
                  Source: msvcr120.dll.2.drStatic PE information: section name: .text entropy: 6.95576372950548
                  Source: VPDAgent.exe.2.drStatic PE information: section name: .text entropy: 6.812931691200469
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3053.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3053.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: docx.exeStatic PE information: 442.docx.exe
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer SecurityJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: rutserv.exe, 0000000C.00000000.1872421176.00000000018A1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000C.00000002.1910189279.0000000002909000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.1994252538.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 00000010.00000002.1994252538.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEP
                  Source: rutserv.exe, 0000000C.00000002.1910189279.0000000002909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEE
                  Source: rutserv.exe, 00000010.00000002.1994252538.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEEW
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 6288
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3053.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_10-6554
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeAPI coverage: 5.8 %
                  Source: C:\Windows\System32\svchost.exe TID: 6524Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 6428Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8180Thread sleep time: -50000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 4476Thread sleep time: -60000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5796Thread sleep count: 6288 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5796Thread sleep time: -62880s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7324Thread sleep time: -30000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 4476Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99740BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E99740BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E998B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E998B190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E999FCA0 FindFirstFileExA,0_2_00007FF6E999FCA0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99916A4 VirtualQuery,GetSystemInfo,0_2_00007FF6E99916A4
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 50000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: rfusclient.exe, 0000000A.00000003.1856721971.0000000000B01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                  Source: svchost.exe, 00000006.00000002.3419540978.000001E620C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3418694570.000001E61B82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3418719701.000001E61B843000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2611527049.0000000000BF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9993170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6E9993170
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99A0D20 GetProcessHeap,0_2_00007FF6E99A0D20
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9993170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6E9993170
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9992510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6E9992510
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9993354 SetUnhandledExceptionFilter,0_2_00007FF6E9993354
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E99976D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6E99976D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E998B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E998B190
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: rfusclient.exe, 0000000A.00000000.1831381748.0000000000F9F000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E997DC70 cpuid 0_2_00007FF6E997DC70
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF6E998A2CC
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9990754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6E9990754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF6E9974EB0 GetVersionExW,0_2_00007FF6E9974EB0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: rutserv.exe, 0000000C.00000000.1872421176.00000000018A1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000C.00000002.1910189279.0000000002909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 00000010.00000002.1994252538.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD BlobJump to behavior
                  Source: Yara matchFile source: 10.0.rfusclient.exe.f50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000002.3578843843.000000000348A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.3578746166.000000000351A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.3578843843.0000000003458000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.3578746166.00000000034F6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.3584056287.0000000004DC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.3584056287.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000003.2017043262.0000000005748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rfusclient.exe PID: 7596, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 7732, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 8104, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		2
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  DLL Side-Loading                  		13
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Extra Window Memory Injection                  		12
                  Software Packing                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS67
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  File Deletion                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Extra Window Memory Injection                  		Cached Domain Credentials251
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                  Masquerading                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc Filesystem131
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567177 Sample: 442.docx.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 88 49 main.internetid.ru 2->49 51 id72.internetid.ru 2->51 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Detected unpacking (overwrites its own PE header) 2->65 67 3 other signatures 2->67 8 msiexec.exe 95 95 2->8         started        11 rutserv.exe 2->11         started        15 442.docx.exe 7 5 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 41 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 8->41 dropped 43 server_start_C0086...8A26292A601EBE2.exe, PE32 8->43 dropped 45 server_config_C8E9...5F92E4E3AE550F0.exe, PE32 8->45 dropped 47 41 other files (10 malicious) 8->47 dropped 19 rutserv.exe 8->19         started        22 rutserv.exe 8->22         started        24 rfusclient.exe 8->24         started        36 2 other processes 8->36 53 111.90.147.125, 465, 49869, 49870 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 11->53 55 78.138.9.142, 49872, 49873, 50003 SKYVISIONGB United Kingdom 11->55 59 2 other IPs or domains 11->59 75 Query firmware table information (likely to detect VMs) 11->75 26 rfusclient.exe 11->26         started        28 rfusclient.exe 11->28         started        30 rutserv.exe 11->30         started        32 WINWORD.EXE 140 448 15->32         started        34 msiexec.exe 15->34         started        57 127.0.0.1 unknown unknown 17->57 file6 signatures7 process8 signatures9 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->69 71 Query firmware table information (likely to detect VMs) 26->71 38 rfusclient.exe 26->38         started        process10 signatures11 73 Query firmware table information (likely to detect VMs) 38->73

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll4%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll8%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe13%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe12%ReversingLabsWin32.Trojan.Generic
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll0%ReversingLabs
                  C:\Windows\Installer\MSI3053.tmp0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  main.internetid.ru0%VirustotalBrowse
                  id72.internetid.ru0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://rmansys.ru/rd0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/eb-help/D0%Avira URL Cloudsafe
                  https://rmansys.ru/remote-access//rmansys.ru/remote-access/O0%Avira URL Cloudsafe
                  http://rmansys.ru/pf0%Avira URL Cloudsafe
                  http://rmansys.ru/nsys.ru/pf0%Avira URL Cloudsafe
                  http://ocsp.glob0%Avira URL Cloudsafe
                  https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    main.internetid.ru
                    		95.213.205.83
                    		truefalseunknown
                    prod.globalsign.map.fastly.net
                    		151.101.2.133
                    		truefalse
                      		high
                      id72.internetid.ru
                      		unknown
                      		unknownfalseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.remoteutilities.com/support/docs/installing-and-uninstalling/rfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpfalse
                        		high
                        http://rmansys.ru///rmansys.ru/rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://curl.se/docs/http-cookies.htmlrfusclient.exe, 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000C.00000002.1916978966.0000000060227000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpfalse
                            		high
                            http://update.tektonit.ru/upgrade.inirutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmpfalse
                              		high
                              http://update.tektonit.ru/upgrade_beta.inirutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmpfalse
                                		high
                                http://madExcept.comUrfusclient.exe, 0000000A.00000000.1831381748.0000000000F9F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1954449236.000000007B210000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/envelope/rfusclient.exe, 0000000A.00000000.1831381748.0000000000F9F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1872421176.0000000000EA1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1954449236.000000007B210000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://rmansys.ru/rdrutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://rmansys.ru/web-help/eb-help/rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.ver)svchost.exe, 00000006.00000002.3419435266.000001E620C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.1769298498.000001E620EB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.microsoft.c442.docx.exe, 00000000.00000003.1734447762.000001AE83505000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://rmansys.ru/pfrutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.indyproject.org/rfusclient.exe, 0000000A.00000003.1857706686.0000000000D05000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 0000000A.00000000.1831381748.00000000017AB000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000003.1906989311.0000000004405000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000000.1872421176.00000000018A1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.1932196409.00000000043A5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1986456632.0000000002585000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://curl.se/docs/alt-svc.htmlrutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                		high
                                                http://www.symauth.com/cps0(442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://rmansys.ru/internet-id/rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3613496586.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3613496586.00000000045BF000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://rmansys.ru/web-help/eb-help/Drutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://curl.se/docs/hsts.htmlrutserv.exe, 00000010.00000002.2013146565.00000000601C7000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000006.00000003.1769298498.000001E620E82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://gcc.gnu.org/bugsrg/bugs/):rutserv.exe, 00000010.00000002.2013146565.00000000601DF000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtdrfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                		high
                                                                http://www.symauth.com/rpa00442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://rmansys.ru/remote-access//rmansys.ru/remote-access/rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://rmansys.ru/remote-access//rmansys.ru/remote-access/Orutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://rmansys.ru/rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://rmansys.ru/remote-access/rutserv.exe, 00000011.00000002.3583938234.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://rmansys.ru/nsys.ru/pfrutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.flexerasoftware.com0442.docx.exe, 00000000.00000003.1721650604.000001AE874DD000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1721650604.000001AE8751B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST442.docx.exe, 00000000.00000003.1721650604.000001AE8744B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.inkscape.org/namespaces/inkscaperfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                            		high
                                                                            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000006.00000003.1769298498.000001E620ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.remoteutilities.com/buy/money-back-guarantee.phprfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                		high
                                                                                https://www.remoteutilities.com/about/privacy-policy.phprfusclient.exe, 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                  		high
                                                                                  http://ocsp.globrutserv.exe, 00000011.00000003.2012865832.0000000000C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://rmansys.ru///rmansys.ru/;rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://rmansys.ru/web-help/rutserv.exe, 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      77.223.124.212
                                                                                      		unknownRussian Federation
                                                                                      		51604EKAT-ASRUfalse
                                                                                      111.90.147.125
                                                                                      		unknownMalaysia
                                                                                      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                                                                      78.138.9.142
                                                                                      		unknownUnited Kingdom
                                                                                      		8513SKYVISIONGBfalse
                                                                                      95.213.205.83
                                                                                      		main.internetid.ruRussian Federation
                                                                                      		50340SELECTEL-MSKRUfalse

                                                                                      Private

                                                                                      IP
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1567177
                                                                                      Start date and time:2024-12-03 08:57:43 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 11m 7s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Run name:Run with higher sleep bypass
                                                                                      Number of analysed new started processes analysed:23
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:442.docx.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name: .docx.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal88.evad.winEXE@28/327@1/5
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 71.4%
                                                                                      HCA Information:Failed
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.28.47, 52.113.194.132, 23.218.208.109, 199.232.210.172, 52.111.252.15, 52.111.252.16, 52.111.252.18, 52.111.252.17, 20.42.65.90, 2.17.100.200, 2.17.100.210, 23.32.238.128, 23.32.238.98, 2.19.198.57, 23.32.238.105, 23.32.238.137, 2.19.198.59, 151.101.2.133
                                                                                      • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, onedscolprdeus14.eastus.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.globalsign.com, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roam
                                                                                      • Execution Graph export aborted for target rutserv.exe, PID 7732 because there are no executed function
                                                                                      • Execution Graph export aborted for target rutserv.exe, PID 7908 because there are no executed function
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      95.213.205.83ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                        winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                          winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            main.internetid.ruExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                            • 95.213.205.83
                                                                                            winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                            • 95.213.205.83
                                                                                            winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                            • 95.213.205.83
                                                                                            3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                            • 95.213.205.83
                                                                                            bg.microsoft.map.fastly.net1L8qjfD9J2.exeGet hashmaliciousNjratBrowse
                                                                                            • 199.232.210.172
                                                                                            file.exeGet hashmaliciousStealcBrowse
                                                                                            • 199.232.214.172
                                                                                            INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                            • 199.232.214.172
                                                                                            invoice-6483728493.pdfGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            PI-02911202409#.xlaGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            V-Mail.msgGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            file.exeGet hashmaliciousXmrigBrowse
                                                                                            • 199.232.210.172
                                                                                            prod.globalsign.map.fastly.nethttps://e.letscompress.online/update.txtGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.130.133
                                                                                            http://propdfhub.comGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.130.133
                                                                                            Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                            • 151.101.194.133
                                                                                            goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                            • 151.101.194.133
                                                                                            goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                            • 151.101.66.133
                                                                                            https://www.pdfriend.com/pdfconverter?gad_source=5&gclid=EAIaIQobChMIwqGhsbi9iAMVO6uOCB1oKCEPEAEYASAAEgJbhfD_BwEGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.2.133
                                                                                            http://ak43423ce23ks.com/qnbfinans/Get hashmaliciousUnknownBrowse
                                                                                            • 151.101.2.133
                                                                                            SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                                                                            • 151.101.2.133
                                                                                            https://firebasestorage.googleapis.com/v0/b/namo-426715.appspot.com/o/PqA45bE7me%2FForm_Ver-11-58-52.js?alt=media&token=dc88189e-81de-49e9-879e-365bc76e3567Get hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                            • 151.101.130.133

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            SKYVISIONGBla.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                            • 83.229.59.112
                                                                                            https://www.google.ml/url?fvg=1YI3fC8whlGPBCiMyiuQ&bhtBf=8EQhXbuMThqowIo0zyCX&sa=t&ndg=afydNw3nDHf9A6uq2MCH&url=amp%2Fiestpcanipaco.edu.pe%2F.r%2Fu1kOgE-SURELILYYWRhcnNoLm1hbGhvdHJhQGphdG8uY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 78.138.9.37
                                                                                            arm4.elfGet hashmaliciousMiraiBrowse
                                                                                            • 217.194.146.92
                                                                                            la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                            • 217.194.158.58
                                                                                            shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                            • 83.229.19.82
                                                                                            https://bread.nfpt.adfixagency.co.in/Get hashmaliciousUnknownBrowse
                                                                                            • 78.138.9.37
                                                                                            https://bread1.nfpt.adfixagency.co.in/landingv2Get hashmaliciousUnknownBrowse
                                                                                            • 78.138.9.37
                                                                                            https://www.google.com/url?q=https://www.google.com/url?q%3DIrfT8NMLx6QPaJgv6Z3g%26rct%3DqsUbQmXhZ93d4gNXIWaR%26sa%3Dt%26esrc%3DEgJeLX8CAl11DNSW7pgH%26source%3D%26cd%3D9X3EYbyCMUoB46Jqpszn%26cad%3Dz64Ndl7J844jI5EH33et%26ved%3D36LRX1krI3rPMEZVSMU2%26uact%3D%2520%26url%3Damp%252Fsantanderconcepts%252Ecom%252F.lamb%252F&source=gmail&ust=1725986149001000&usg=AOvVaw1kdi6SPX1NGpGYFWhG_1Z7#NQvlKnUGFE-SURENICObWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 78.138.9.37
                                                                                            payload_x86.ps1Get hashmaliciousMetasploitBrowse
                                                                                            • 83.229.120.79
                                                                                            EKAT-ASRUloligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                            • 5.165.233.70
                                                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 5.166.34.53
                                                                                            bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                                            • 85.115.185.36
                                                                                            SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                            • 77.223.100.3
                                                                                            SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                            • 77.223.100.3
                                                                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                            • 5.166.34.83
                                                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                            • 85.115.161.24
                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                            • 5.166.34.78
                                                                                            SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
                                                                                            • 109.195.98.211
                                                                                            SecuriteInfo.com.Riskware.OfferCore.11979.8662.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                                                                            • 188.234.81.249
                                                                                            SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYVendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 101.99.75.104
                                                                                            http://amz-account-unlock-dashboard4.duckdns.orgGet hashmaliciousUnknownBrowse
                                                                                            • 111.90.149.151
                                                                                            https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                            • 111.90.141.53
                                                                                            Ssc Executed Docs#962297(Revised).docxGet hashmaliciousUnknownBrowse
                                                                                            • 111.90.146.230
                                                                                            amen.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                            • 101.99.125.192
                                                                                            botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                            • 124.217.225.17
                                                                                            0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 111.90.140.76
                                                                                            0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 111.90.140.76
                                                                                            J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                            • 111.90.140.34

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJ4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                              J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                  SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                    044f.pdf.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                      3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                        3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          GkLbUGixzx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                            GkLbUGixzx.exeGet hashmaliciousRMSRemoteAdminBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Config.Msi\3c2b92.rbs

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:modified
                                                                                                              Size (bytes):33259
                                                                                                              Entropy (8bit):5.289849337500237
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:H5t4t4t+ZXTWBwp1KwUXciM01HuECHgCg4gcgblFl6Y3TY3s8:KCBwpswUXceHuECHgCg4gcgblFlN3U3j
                                                                                                              MD5:7349A39DA4916878F9069FB5B32A41C9
                                                                                                              SHA1:BAADC465B7E4BA451ADEC1F9F4B9440003BD3781
                                                                                                              SHA-256:9B58ADCEB6B243F3B87351AE8F9140050A20EA8BEA87AC8A002F4445D36FE80B
                                                                                                              SHA-512:A31952C269684C627E3CE0421C52D11BF2B6C93D4DD506AA7257D86D06F279EC829208C987D6C47E742DD002AE889510E21681F2FA5195EC7B641C00C0B65138
                                                                                                              Malicious:false
                                                                                                              Preview:...@IXOS.@.....@V..Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.].....ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2...&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{3244CD

                                                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):118
                                                                                                              Entropy (8bit):3.5700810731231707
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                              MD5:573220372DA4ED487441611079B623CD
                                                                                                              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Rich Text Format data, version 1, ANSI, code page 1251, default middle east language ID 1025
                                                                                                              Category:dropped
                                                                                                              Size (bytes):140524
                                                                                                              Entropy (8bit):4.705761523836363
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:wu3K4JDvJNJt2cGTXxl5loUWDTEhkClEgoKt9ai1IYdO5NVSUeDfydxqXJe2JNC0:wu93dN2OqrYZlKhIiSEGQ4wL
                                                                                                              MD5:65B04B706AC06E31210F4FFB1E92994E
                                                                                                              SHA1:B005637B3DE903CBD7960637D77FF993897C5A63
                                                                                                              SHA-256:E9ACC22A02BC2148AE07EC7CBE741E6E1CBC90DE3856AAE8F32A31FB5C338566
                                                                                                              SHA-512:5B708D069434A384738EFD5F4621F257FC79A7F5A32D8AE9C1D29E21EFE1EEB2C393EC67DA39714C0C73F2217B68091EE7196C72331838A0A7ECA872FAF09A09
                                                                                                              Malicious:false
                                                                                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fbidi \fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 0204

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15680
                                                                                                              Entropy (8bit):6.579534230870796
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:XxgSABvdm4Yy3EA39QKoEp0Fm7qFAmL8x2fLWwsU7K6CYv7+C:Xx0FmW3Ea1KmexmMK6jr
                                                                                                              MD5:C2F009D6317D1BA4E722938A1408478A
                                                                                                              SHA1:66D702BC9FA98D1E7FE9BBC16AFF9AE711019E9B
                                                                                                              SHA-256:6A8D4FB6F90B53D986B2AC6BF3BFCC56D6A54A2E8AF5670129566F5D344ED0FA
                                                                                                              SHA-512:4D8060EC77EB9B95B57BC20AF2685064FA1E1FCC9403EFE95572C37D72ACD39B8005831EA0BAE95C365E945E50962B7FE1BFD964C5776D3E99CE5E474F726BFE
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                              • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                              • Filename: 044f.pdf.scr, Detection: malicious, Browse
                                                                                                              • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                              • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                              • Filename: GkLbUGixzx.exe, Detection: malicious, Browse
                                                                                                              • Filename: GkLbUGixzx.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.j.]Oj.]Oj.]Og..Oh.]Og..Oh.]Og..Oy.]Og..Oh.]Oc..Oc.]Oj.\OY.]O..Ok.]Og..Ok.]O..Ok.]ORichj.]O........................PE..L......S..................................... ....@..........................`.......J....@.................................."..x....@..................@....P..|....!..8............................!..@............ ...............................text...2........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..|....P......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2673984
                                                                                                              Entropy (8bit):6.865614554810881
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:BE8JxHX5r9sDQl7wDSMSFxvQ/qpyr0k0ha5XLDaDMPNw2x8pWTUKA76AeF8:BE8XHX5riUl7wDP6vQ/qpyr0kR5XLWDB
                                                                                                              MD5:10CD2135C0C5D9D3E5A0A5B679F2FAAE
                                                                                                              SHA1:A0617D8C6876F98B9A1819A71F2A56B965C1C75D
                                                                                                              SHA-256:D7A97387505CA740AC88E85CAC3AA3CA73C666CC3BFD977C7E40B1D9D6CA6C12
                                                                                                              SHA-512:6A1F81127FF26DCC235D7CE454E69F9A3784AC54BBC8486CB5022AAC47C2FB6003641A0F8AAFDD3B89812FE3C1C90569AD73C1C135687C042CE92C5DD2FFBDD8
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zz..zz..zz.M...zz.+...zz.+...zz.+...zz.+...zz.f...zz..zz..zz.f..Oxz..z{..{z......zz.f...zz..(...zz..z...zz.f...zz.Rich.zz.........PE..L...h3.\............................5u............@.......................... ).......(...@.................................<.&.......'.H.............(.@.....'..n..................................0:&.@............................................text...5........................... ..`.rdata..............................@..@.data...<.....&..d....&.............@....rsrc...H.....'......8'.............@..@.reloc...n....'..p...>'.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1110848
                                                                                                              Entropy (8bit):6.491478844569486
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:TqSQS800orApz53PI2GVqH7kpf/V57GGcP6T5m+moXafzb:tQSX0oAtkpf/bfcyTTmoozb
                                                                                                              MD5:AB3E77FC94445A18C9376F98CE10102F
                                                                                                              SHA1:9424736FB3DB517C5584A14A482F84D81A671F8D
                                                                                                              SHA-256:EEE325D9AC6A7B24B8ED3742110BD042803D6DA065F2E51153151E69D51CE4A3
                                                                                                              SHA-512:454115C621434E98D39AEC605FCEB349C7AFB938B3E822F5950EE60E54FBFCB5CDBFE750015FE947C07FB991B4E966E535640343294D885ED2661353D3FD6EC9
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........[.:..:..:....l.:....n.7:....o.:..d..:..d...:..d..:..u.V.:..?d...:..?d..:..?d..:..:..T:..?d..:..?d..:..:db.:..?d..:..Rich.:..........................PE..L......\...........!......................................................................@.............................|....&..d.......................@........l......p...............................@............................................text............................... ..`.rdata..p;.......<..................@..@.data...H;...@...*..................@....gfids..$............X..............@..@.rsrc................d..............@..@.reloc...l.......n...f..............@..B........................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22848
                                                                                                              Entropy (8bit):6.464002114523214
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:2+b57Gk7g+iy21oCiDuK9jkrtpgjKMpFmexmMK6j8qF2:7/210DuVrtsKM3ZxBKghF2
                                                                                                              MD5:2DE35EAAE57A6BAA02D9E8ED0661F042
                                                                                                              SHA1:82D14A58D5188F5B7606365BE0E3F968A8E81E93
                                                                                                              SHA-256:BB43036D202D3DBD765A12D1C4C243E7AB8328FFC1941AEA838D8B1553700E64
                                                                                                              SHA-512:02F1D530C1469431A94074A057FCE3FE60735D3B15DD767E8F39F29B702B98B061954063D83D5FA426D7684CC86359E87424F0CC54FFB0AC3F388AA7E48D6DE0
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9Gf.}&.I}&.I}&.I;w.I|&.I;w.In&.I;w.Iy&.I;w.Iy&.It^.Ix&.I}&.I?&.I..I|&.Ipt.I|&.I}&.I|&.I..I|&.IRich}&.I................PE..L...k3.\.....................8......e".......0....@.......................................@.................................49..d....`..@............:..@....p......@1..8............................5..@............0...............................text...k........................... ..`.rdata..:....0......................@..@.data........@......................@....rsrc...@....`.......0..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4005696
                                                                                                              Entropy (8bit):6.809616089473951
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:lbR+lDT6t58JcKdTG57M06POn9rvBAUZLM8FAK:FR+lDOt5kgFvVwmd
                                                                                                              MD5:2C5987EA1E87A5C073B780F8102AE09C
                                                                                                              SHA1:78DAA99D8C59A4A2E0D3B59E5427F854D8613080
                                                                                                              SHA-256:22AC34380064C0FFEE59AD892CA4695E94EE8F97B78C18565251295817A784FE
                                                                                                              SHA-512:7D6432960C5F3BEC27B13D06D4126C91A1DD7DD702DE97F1001855D8572BE68D6526F419BB58F5E5238E8E8F81C801BDAD8F351EF0AE75564835146F3DD3434D
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.............3.......3.......3.............................fP8.............,......,.......,...Z...,.......).......,.......Rich....................PE..L......\...........!.....b"..0................"...............................=.....3.=...@.........................pA:......p:.d.....;...............=.@.....;.$.....6.p.....................6.....p.6.@.............".d............................text...9a"......b"................. ..`.rdata..(....."......f".............@..@.data.........:..j...f:.............@....gfids........;.......:.............@..@.tls..........;.......:.............@....rsrc.........;.......:.............@..@.reloc..$.....;.. ....:.............@..B................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                              Category:dropped
                                                                                                              Size (bytes):10134
                                                                                                              Entropy (8bit):5.364629779133003
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                              MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                              SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                              SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                              SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                              Malicious:false
                                                                                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):39744
                                                                                                              Entropy (8bit):6.36744082696392
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:TkzqOI138e1y6JMKxTrAogoAoaP7+qFXYiLxjdQzUQ9LSk3E0gTSsn2TkhI3K0Jn:TLqokSaddQzUNk3EXSsn2Tk4ZZxBKgfP
                                                                                                              MD5:9ED8BAA9DEC76C6AFAFC1C71193A0AE8
                                                                                                              SHA1:843727F195BF194CFF3736B80FB5249713F1E116
                                                                                                              SHA-256:CD2C60402D46C339147ADDF110C904F78A783F23106CCAD147EFA156175D66DE
                                                                                                              SHA-512:40D85540176AB0170B7341D6A8A808FD351B35C6444D468E7707B35D2B2E8F3322DBF0BF31E0578E3A12E1A62B310DD7983B7EFB0F2C72D0C4104AEB0BBCEFF9
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............b..b..b..3...b..3+..b..3*..b..3...b.Z....b...X..b..b..b.Z....b..0...b..b\..b.Z....b.Rich.b.................PE..L....3.\.................D...8.......I.......`....@.......................................@..................................s.......................|..@............b..8............................j..@............`...............................text....C.......D.................. ..`.rdata.......`... ...H..............@..@.data................h..............@....rsrc................l..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):179520
                                                                                                              Entropy (8bit):5.239011393842513
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:+vQrKBVxKfGkHM5ZZ+HHJOWfuXO8zIJ1k9XHX8t0wk7UAjKQpmErUaDO3nG:3kjiTGD+JOWGT00XHXo0w+mErBO3G
                                                                                                              MD5:FF197487BFE7E9D3396E0793B83811ED
                                                                                                              SHA1:D92CA066B79DF28BF22BB051AEDFE10E4FA4A2A6
                                                                                                              SHA-256:E6D0CA844514FDD105772E72C7C30D47099112AB68A4A5F9E4A2B28C0372A05A
                                                                                                              SHA-512:33A13B0EE7E3DD038B35B5E4220278016397D003DCEECA56C3EE264608E053940AAFC09AE582C0FD67DFA919F38265883269F6C1A93E5BB9047B97F4A51CACCE
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z............X.1....X......X.3....X........m......}....D3.........D.......5......y....D0....Rich...........................PE..L....3.\.................\..........8........p....@..........................0......T.....@.................................,5.......`..V...............@....... ....z..8...........................(...@............0..,............................text....[.......\.................. ..`.rdata...D...p...F...`..............@..@.data....l..........................@....idata...$...0...&..................@..@.rsrc...V....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):98650
                                                                                                              Entropy (8bit):4.192473934109759
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                              MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                              SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                              SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                              SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                              Malicious:false
                                                                                                              Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):53056
                                                                                                              Entropy (8bit):6.556803642202102
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:AqfYixknAt1kJSwlxeZQHPFtuEK+XLxSzELK4ZHZxBKgCu:8ixknqaxxeZ09tVr7xkyZ5ncu
                                                                                                              MD5:A7A19BFD82EEAE7D4DC00144F3B949F4
                                                                                                              SHA1:FBD6EF10A7D519386CB32B093AE7E42852BAECBD
                                                                                                              SHA-256:A32A93B71A5628EDFC19FD31D26AC60DAF364E89CFDA2C82071718814042BE55
                                                                                                              SHA-512:5AC0F6A0FDAAB8B832B0021948101ABD1C8AF8B79E0C02D60770DF22D945D669AE7D588BD3264F9991E11CBAB01A445AAC9B594B47171C68A6A7BDC3FBB8D962
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3..3..3..uO..1..uO.. ..uO,.7..uO..6..3..S..:fb.4.....1..>L*.2..3.f.2.../.2..Rich3..........................PE..L...j3.\.................v...:......Ez............@.................................Ul....@.................................t...x.......@...............@...............8..............................@...............|............................text....u.......v.................. ..`.rdata... ......."...z..............@..@.data...............................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2772288
                                                                                                              Entropy (8bit):6.917291195041145
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:UuZqJvz7GHYFVw8vfMVDpaLGtH3uSvQ/qpyr0kiU6HoCPLG5gzyUxChRebU:UuZqJvz7GHGVfvfMVDNNxvQ/qpyr0kpj
                                                                                                              MD5:9FD469846E628F44A4147743875FFBC0
                                                                                                              SHA1:6065C496D7C2695F3678D945FFA3FEFFBCD83C53
                                                                                                              SHA-256:129C2D91F085E54FD9E333C6F580A16907A1D9659D823D6C7CB25F5D3CE55CC8
                                                                                                              SHA-512:5AF5DD95BE604E039337D153CED2B9D3FE33F2E05818E3A222FDD9F7B3381197CCF3CA39324F46CA95B81DF76624F0EF4A0CF045195640E58B9A233D092F43AB
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.&.1fH.1fH.1fH....8fH.w7..<fH.w7..<fH.w7..5fH.w7..6fH.8..$fH.1fI.^gH.1fH.&fH......dH......fH.....,fH.....0fH.<4..0fH.....0fH.Rich1fH.................PE..L...,..[...........!.........j......#......... ...............................*.....N.*...@.........................p.'..:..T.(.......)...............*.@.....).8|..0. .8............................8'.@............. .h............................text............................... ..`.rdata...-.... ....... .............@..@.data........@(..~...0(.............@....rsrc.........).......(.............@..@.reloc..8|....)..~....(.............@..B................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2991424
                                                                                                              Entropy (8bit):6.7900679594310915
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:kz1BQT/9rrcXgJoHt3LhNSTuHo6E7hVNO8B/3LUvQ/qpyr0kRZTKjEKMUP9isAxI:kz1BI5U3lNS6Ho6E7vBRIvQ/qpyr0kuF
                                                                                                              MD5:829DD10CD377386A2040897F5288DDB0
                                                                                                              SHA1:A7B1C7A6C0E1C9641750E8150EE810530FB67DD0
                                                                                                              SHA-256:5753F66DBC480901955DE247117F3C1E99777B1A610C90931E50C374F8B1D888
                                                                                                              SHA-512:C6B915EBF7B1C023FBB2E06FB169857539253CFA2B5B5C770DF5A43896AF8A0C847796E3F82C6109778F11D7FE3976DA172E1E0E6EACCD1C82DBAEB80ADAB4F5
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                                                              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............j...j...j..V.u..j...;m..j...;R..j...;o..j...;S..j....!..j..}.o..j...j...j..}.R.3h..}.S..j.._4...j...j..Ah..}.W..j..}.n..j...8i..j...j%..j..}.l..j..Rich.j..........................PE..L....3.\..................!...........!......."...@...........................-.....;.....@...........................+.+.....+.......,.@.............-.@.....,..C...................................w+.@............."..............................text...g.!.......!................. ..`.rdata..$.....".......".............@..@.data....~....,..N....+.............@....rsrc...@.....,......<,.............@..@.reloc...C....,..D...B,.............@..B................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):660128
                                                                                                              Entropy (8bit):6.339798513733826
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
                                                                                                              MD5:46060C35F697281BC5E7337AEE3722B1
                                                                                                              SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                                                                                                              SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                                                                                                              SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):963232
                                                                                                              Entropy (8bit):6.634408584960502
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
                                                                                                              MD5:9C861C079DD81762B6C54E37597B7712
                                                                                                              SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                                                                                                              SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                                                                                                              SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Windows setup INFormation
                                                                                                              Category:dropped
                                                                                                              Size (bytes):9698
                                                                                                              Entropy (8bit):3.8395767056459316
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                              MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                              SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                              SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                              SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                              Malicious:false
                                                                                                              Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                              Category:dropped
                                                                                                              Size (bytes):10134
                                                                                                              Entropy (8bit):5.364629779133003
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                              MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                              SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                              SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                              SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                              Malicious:false
                                                                                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):17415
                                                                                                              Entropy (8bit):4.618177193109944
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                              MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                              SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                              SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                              SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                              Malicious:false
                                                                                                              Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):41
                                                                                                              Entropy (8bit):4.479503224130278
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                              MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                              SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                              SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                              SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                              Malicious:false
                                                                                                              Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):98650
                                                                                                              Entropy (8bit):4.192473934109759
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                              MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                              SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                              SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                              SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                              Malicious:false
                                                                                                              Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):35648
                                                                                                              Entropy (8bit):6.365966080243848
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:nE2YHORRn1SNBaiAL3X8jARHb2Os7fAK6ncZxBKg1xDo:E862HbPs7otEnzNo
                                                                                                              MD5:68EA0EC529B7B9D3284D860F5ABD9BB4
                                                                                                              SHA1:1A3951538D9E79F09792C8B118F010834A6C1273
                                                                                                              SHA-256:EE963C5960F6687789004175C3DF0098331BEBBCE992BF9C73EF9EF6ED73C1E0
                                                                                                              SHA-512:E62D2CFCA2433F4D647A5658141D63093D75491C60D1647F41FFDE74308BDF1A512DEBCC4A4535CE6FC9DE1ACB149D135D89366FE75FC9C52AA709C8887D7A28
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.....................i'......i1......i6.........z....i!.............i ......i;..............i&......i#.....Rich............PE..d....4.\.........." .....V..........|P....................................................@..........................................d..W....[..................`....l..@........... ................................................................................text...'U.......V.................. ..`.data...4....p.......Z..............@....pdata..`............b..............@..@.rsrc................f..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):204096
                                                                                                              Entropy (8bit):5.820956822859452
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:co2/UxSJBXgK5IsZsYMNV7jWCQQD9KdtvB1WOAahmRF:co284/XgGfbuYAKdf1WOAaO
                                                                                                              MD5:126C2BCC9112266CE33F9835A1E44B9C
                                                                                                              SHA1:B16C0D19797C7A0CC665BC8346ECF453234A83A4
                                                                                                              SHA-256:2736C2919966D17F27A34D69A7253CD4C2D09C6F7CF9FC03597F27BC73C0BDC2
                                                                                                              SHA-512:C25FC46CA2D8DAAD868FA2B5F1BA6CCAAC7F919C8C7CBB86952741B493D27E79EC8C7FD5F124A704B78F4197E6F3812D0FE0F64BC00117EE2AC09B41FAE85308
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 4%
                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................dD....\....c....^....b..........R.......5Zf...5Zb...5Z_....X........5Z]...Rich...........................PE..d....4.\.........." .................~....................................................`..........................................G..l...\H..........(.......<.......@...............................................p............................................text...-........................... ..`.rdata..Z...........................@..@.data...ph...`.......@..............@....pdata..<............X..............@..@.rsrc...(............n..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):102208
                                                                                                              Entropy (8bit):6.071111727952987
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:8Fqz3IwGZjZ8lt0nt0NhuGO7o6LJ/TJhjYEOYULzEnr:MwYrZNQCnKhnOtthUEOYULzEr
                                                                                                              MD5:CC0E2455CFF19B3585C9FA781428E88E
                                                                                                              SHA1:93EC9326F0CEE4E7F385525B03DDF0DF89A409E8
                                                                                                              SHA-256:AF24B7E339CC6B80ECF7B45050533E8227D6491EED2FD8C3FF2BF22406B027AA
                                                                                                              SHA-512:B995CD999B36B9BD3DC8BE60A7576701CB91D18DF21934521C578047CD135C91F1027058198B1867A4D46804C0514523B370ECEC0E6691A041189011E31166A6
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..+.l.."...st.."...sK.."...sv.."...sJ.."...Z8.."..."..."....N.."...pp.."..."<.."....u.."..Rich."..................PE..d...)4.\.........."............................@....................................R.....`..................................................[..........x............p..@...............8............................7..p...............P............................text...=........................... ..`.rdata...g.......h..................@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc................d..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14366
                                                                                                              Entropy (8bit):4.1817849062232195
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                              MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                              SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                              SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                              SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                              Malicious:false
                                                                                                              Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):487232
                                                                                                              Entropy (8bit):6.340203111317007
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:MgjhSyqP1a/eVqxFxNCAiG3XyJ/2TxbfsEkhy+0F+K8lJrZdwwSvr:MglSTPaRxFdLXyJ/ebEEkx0rqJduJ
                                                                                                              MD5:AD6C433A57BE03EE0C75076D6FE99CD5
                                                                                                              SHA1:219EE785F2C8127DAA44B298B5B2B096FCCE8D12
                                                                                                              SHA-256:8A180D92A2C879A3384D24A38EC8C9FD6BFD183935E61DA0B97F1C67A7EC9EA7
                                                                                                              SHA-512:041FB9165068D0EA879632B883B3E247336A3BB159ED46AE053B60D074A0BB231FA2DEEDD6CB2BA17AACB771413A86A3F970480AF7A2311E51702288D3B9A30E
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................&.....7.......W.... .....0.....!.....:...d......'....."....Rich............................PE..d...w.[J.........." .........8......d..........t.....................................b....@..........................................4..........x....p.......@...(...P..@............!..8............................................0...............................text...O........................... ..`.rdata.......0......................@..@.data...x.... ......................@....pdata...(...@...*..................@..@.rsrc........p.......B..............@..@.reloc...............F..............@..B..[J@...+.[JK.....[JU.....[Jb...+.[JK.....[Jo.....[Jy...........msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.ole32.dll.GDI32.dll..............................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21225
                                                                                                              Entropy (8bit):3.9923245636306675
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                              MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                              SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                              SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                              SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                              Malicious:false
                                                                                                              Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):892224
                                                                                                              Entropy (8bit):6.044434154548935
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:qpvsrQZu8F/bY6Pgx2B8UNG2Ql20gcwtH2qMP23so2:kZ5F/bYogxJUB9cwtHFMDp
                                                                                                              MD5:BB98224B0CB6F17D61AA24D7A46A08C5
                                                                                                              SHA1:DB78D1161EAA0C691DF76D1B6D7CC98793007BCE
                                                                                                              SHA-256:23A30F94360D710BB020DF76E7846AB991EDD6CA3C7F685AECF6CD1A019D451A
                                                                                                              SHA-512:D74291E8556911B77588D63EB20DB5D6642C31FEDD9EE186AE62D53C705F0CDBE14725ECBB8FC5FE770F45DFF05731EEBB2063A33BB78DF70B73CDCF4E86C465
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y'..I...I...I..`...I..`...I...H.R.I..`...I..`...I..`...I..`...I...7...I..`...I..`...I.Rich..I.................PE..d.....[J.........." .....$...V.................v....................................O.....@........................................../..{.... .................../...~..@...........`...................................................0............................text...[".......$.................. ..`.data....5...@...0...(..............@....pdata.../.......0...X..............@..@.rsrc...............................@..@.reloc..0............j..............@..B..[J`...+.[Jk...5.[Ju.....[J......[J......[J....+.[Jk.....[J......[J......[J......[J............msvcrt.dll.NTDLL.DLL.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll...............................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):770368
                                                                                                              Entropy (8bit):5.630939020655746
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:+kozBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLd:SzBEGbL4Np84TQazCSiRd
                                                                                                              MD5:A0D2853BE8043F5FC4FEE04CFE5A8293
                                                                                                              SHA1:4FDF21E578739ABB4BCC938568F27897E733E229
                                                                                                              SHA-256:1D8C77B674F8294DB39B2CDE2873BDE5A2F6EBD65E14CAEEB58FBA94C92C1F3D
                                                                                                              SHA-512:FC5CE23DF55EF277D6DB898D5620697A3A061A5DD9BE63145CE71B966905CAC41B9785121709A2A0DCF8F90B76F484FAB619EB8DB40A873A867468ECF1620F99
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d.....[J.........." ..........................@...........................................@.............................................................0...............@............................................................................................rsrc...............................@..@........................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):356528
                                                                                                              Entropy (8bit):5.917051105867173
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:0g5dgFfqaKFJyHrByeUIRAHq0KzS9OAgfVgYCDlSv:0OdcUIRAHqAeX0a
                                                                                                              MD5:BDD8AE768DBF3E6C65D741CB3880B8A7
                                                                                                              SHA1:91B01FD48A586822C1D81CA80B950F8639CCE78C
                                                                                                              SHA-256:602ADD77CBD807D02306DE1D0179CB71A908EECB11677116FC206A7E714AB6D6
                                                                                                              SHA-512:7840554A66F033E556CF02772B8B3749C593657CA254E0F2DBD93B05F4600E11BA821EBA8FC038115C038B5E5AF2F8D2CF0A5AE1F1362E813CF0B5041BBBFF94
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.@.'.@.'.@....!.@.a...#.@.....&.@.a...%.@.a...*.@.a.../.@..P.. .@.'.A.T.@.a...6.@.a...&.@.a...&.@.a...&.@.Rich'.@.........PE..d...}.OR.........." .....n...........L...................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):455328
                                                                                                              Entropy (8bit):6.698367093574994
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                                                                                              MD5:FD5CABBE52272BD76007B68186EBAF00
                                                                                                              SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                                                                                              SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                                                                                              SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):970912
                                                                                                              Entropy (8bit):6.9649735952029515
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                              MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                              SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                              SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                              SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Windows setup INFormation
                                                                                                              Category:dropped
                                                                                                              Size (bytes):9698
                                                                                                              Entropy (8bit):3.8395767056459316
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                              MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                              SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                              SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                              SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                              Malicious:false
                                                                                                              Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                              Category:dropped
                                                                                                              Size (bytes):10134
                                                                                                              Entropy (8bit):5.364629779133003
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                              MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                              SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                              SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                              SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                              Malicious:false
                                                                                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):17415
                                                                                                              Entropy (8bit):4.618177193109944
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                              MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                              SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                              SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                              SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                              Malicious:false
                                                                                                              Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):41
                                                                                                              Entropy (8bit):4.479503224130278
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                              MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                              SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                              SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                              SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                              Malicious:false
                                                                                                              Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):98650
                                                                                                              Entropy (8bit):4.192473934109759
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                              MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                              SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                              SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                              SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                              Malicious:false
                                                                                                              Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):33600
                                                                                                              Entropy (8bit):6.281064018328684
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:az2vV5RqtDcvnyQW7I+Ud26uiGKjzAVQjXzPishb8pe+7mNwSumexmMK6jcy:hgo7WcDGuB3Upe2m9uZxBKg3
                                                                                                              MD5:BED53AB8B9E406D1A8D6A85924E44282
                                                                                                              SHA1:19628BD3DE2BEF0EDC3622E4A7184162BD979040
                                                                                                              SHA-256:E5A10A74CFC36A4DCFCC9B25573B92A37B55062153EF9120B93154DB5792B3DA
                                                                                                              SHA-512:6F5C6945B0A982E8C94A826685158286D16173F51B10FDF1F5B9F4F93562240736A09B5F0997E995C0AF07360BACD51FA46CB8E4A3FA319519F3727FF87613E7
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pZ.Y4;..4;..4;...4..:;..=C'.<;..=C6.9;..4;...;..=C!.7;..=C .5;..=C1.q;......5;..=C&.5;..=C#.5;..Rich4;..........PE..L...,4.\...........!.....F...........D.......`......................................a.....@.........................pU..W....M.......p...............d..@...........................................(...@...............t............................text....E.......F.................. ..`.data...\....`.......J..............@....rsrc........p.......P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):159552
                                                                                                              Entropy (8bit):6.178643199247813
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:VYM7lLXShoSAJzKb9P+K61JJBsJgTcqTIbMNZ3mo+aGh1G:77tK+K61vBsJKcq0bMNZPXP
                                                                                                              MD5:F0A9D47D76E68883F04E60599EADAE6D
                                                                                                              SHA1:8F7BB6B9E9CB70529FA4C442ABF507A2F546E6E3
                                                                                                              SHA-256:2FAB0969C6E131834496428779A0809B97981F3E8D6FBF8A59632CB2DF783687
                                                                                                              SHA-512:18BBD1A3899C6B2F361BFA575D50D7DA29EAEF0E1C7CB50B318CECFE3150F268C1CDF30FEB5246B9F9B5D7FE36BD4A268E06595D9D3F3D86D933F14F5C43AD43
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.q.\.q.\.q..h..].q....._.q.....P.q.....X.q.....T.q.U...].q.\.p..q.U...K.q..V..V.q..V..D.q..V..].q.Q...].q.\...].q..V..].q.Rich\.q.........PE..L....3.\...........!.....L...N.......0.......`......................................k.....@.........................P...l...............(............P..@.......< ...................................z..@............`...............................text....J.......L.................. ..`.rdata...B...`...D...P..............@..@.data....\..........................@....rsrc...(...........................@..@.reloc..< ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):87360
                                                                                                              Entropy (8bit):6.424955012685773
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:df1NQOOvFdve0e0ZIMhn9nA2LYK7ZOgkg6znnLnx9Inz1:/Adve07RnlhRN6znDQx
                                                                                                              MD5:66C5F108A058B515BBDDE628384990C9
                                                                                                              SHA1:0FBADFC5106056DFD269DF5EA532F69556CAE68F
                                                                                                              SHA-256:8D596D33CC3962B33B46D361BBC44A8088F18C09949734F3DEC54828372426AE
                                                                                                              SHA-512:6060EF07244385516989DF3AAD1C01E9F93B7B45A247D8D70FC5BE7A62BA96BFD22F80F0C78D178443D38796A2C7148CD3ADF4EB1A5FC430DFF5BB393492901E
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&....^..&...wF..&...wy..&...wD..&...wx..&...^...&...&..0&..$.|..&...tB..&...&...&..$.G..&..Rich.&..........PE..L...$4.\.....................n....................@..........................p.......C....@.................................d........@..x............6..@....P..........8...........................P...@............................................text............................... ..`.rdata...F.......H..................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14366
                                                                                                              Entropy (8bit):4.1817849062232195
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                              MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                              SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                              SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                              SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                              Malicious:false
                                                                                                              Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):383296
                                                                                                              Entropy (8bit):6.650287803080611
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:yplBo/TK5C+psQzJzCSX6hjg+4GRr3CoA7f3j5G+hinZ5P31uGX7Zum8oyk7lATI:O0/djgEUhWnJ2UlxqOttoICvPn/318Sm
                                                                                                              MD5:C3F39388BD4E6763F9734BC617388A17
                                                                                                              SHA1:AF5B4753F99C3F115294662876D7191DC8652786
                                                                                                              SHA-256:4D1F6A595889165B6A14B68D848C639748C9750C165BB4515CA3C3C67B4BA462
                                                                                                              SHA-512:BD8D00461E65F156686B0FC799926897845900F072F7AC10B66387E041CC7D3810ADBFB0137E9EA7B24995A11D324707D9E0FCD699D36E62ED089F46CC5ABA58
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3g..3g..3g..:.;.4g..3g...g..:.=.8g..:.<.2g..:.-..g..:.*.sg.....2g..:.:.2g..:.?.2g..Rich3g..........................PE..L...$.[J...........!................-..............m................................Z!....@....................................x.......................@...............8............................t..@.......|.......`............................text...k........................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..Bo.[J8...K.[JC.....[JP.....[J].....[Jg.....[Jq...........msvcrt.dll.WINSPOOL.DRV.KERNEL32.dll.NTDLL.DLL.ole32.dll.GDI32.dll..............................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21225
                                                                                                              Entropy (8bit):3.9923245636306675
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                              MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                              SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                              SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                              SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                              Malicious:false
                                                                                                              Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):755520
                                                                                                              Entropy (8bit):6.198681499104638
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:IlIoM3g2e9Bg7Lg3yfKDPc97QpAxuKdwSGnZGxn:IvM36KkyCLW7QCwSGon
                                                                                                              MD5:0822EE0FF996BEB2B31EBBDD6449231B
                                                                                                              SHA1:7DF7F4978F3C4728CAEF9F95C6EB6C0D8CF8FDAC
                                                                                                              SHA-256:D727150FA7853748655E9CAA9F19F633E33BD191284703D6609984A64CB39CAB
                                                                                                              SHA-512:A47D25901FAD0507167E241350EC12C8D545F3F932E1B44E5F167A82263BCB97DA06B09454E8DE815EFC445088F2B1011028C3EAE5BF3F55FACAA3D9EC082815
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..wf..$f..$f..$o.%$n..$f..$...$o.#$u..$o.3$8..$o."$g..$o.4$...$AZ.$g..$o.$$g..$o.!$g..$Richf..$................PE..L......L...........!.....2...2......e........@....(p.....................................@.............................{....3.......p...............h..@....`...0...@..8...............................@............................................text...E1.......2.................. ..`.data........P.......6..............@....rsrc........p.......T..............@..@.reloc...0...`...2...6..............@..B..LX......Lc...o..Ln...&..Lx.....L....n..L....%..L....K..L.......L....r..L............msvcrt.dll.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll.......................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):770368
                                                                                                              Entropy (8bit):5.629918098777896
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:tkoGBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLC:LGBEGbL4Np84TQazCSiRC
                                                                                                              MD5:385152D096A96D1966C1042EDE38114F
                                                                                                              SHA1:A42D0587A2BF156C3F757778397A2E7AC8122E3C
                                                                                                              SHA-256:5A22FE5AF587540A9840E4F2A515564A2478DDA47AC1C81B687AC2F59C4C2FD0
                                                                                                              SHA-512:483E8819C6C5C1BCF725A4D6513364A5EE054E1D9100A8F42FFD2DBBFD52910CCA8E6DAF4435103C75AA2EBCA5A608BCC76EE6C531EA67C723267D9445D40256
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L......L...........!..............................@.......................................@............................................................@............................................................................................rsrc...............................@..@........................................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):247984
                                                                                                              Entropy (8bit):6.601853231729306
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:+SsS5fv6EATwqlGwyfDyodYI3ZubfW5nb2PQuW0x:+I5fv6EATwqlGwyfDyodYI3Zv1C
                                                                                                              MD5:69837E50C50561A083A72A5F8EA1F6A2
                                                                                                              SHA1:1A4B4C6C3CB6A5164CC1018AC72D0300455B3D8F
                                                                                                              SHA-256:9C9D4E421C55F7EF4E455E75B58A6639428CCD75C76E5717F448AFE4C21C52BC
                                                                                                              SHA-512:FD20C6B4EEC972C775681AD7322769D5074108D730727051EF77D779A277D77B12419E1FEE1E2EC0CF376A235573A85AD37975245DBF078DE467953AFD02164A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0p..Q..Q..Q..)..Q......Q......Q......Q......Q..P...Q..Q...Q......Q......Q......Q......Q..Rich.Q..........PE..L....OR.........."!.................4...............................................:....@.............................e=...A.......`...................>...p...R..0................................/..@............@...............................text............................... ..`.data...xp.......n..................@....idata.......@......."..............@..@minATL.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc...R...p...T...6..............@..B........................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):52312
                                                                                                              Entropy (8bit):6.450469916547452
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:MsmrWdCS5PvBHOUYTKJgr0OMpqdBwFrGjYBZyIh9rOQ:Mza/pu/TKJ/OMpTryYzyMCQ
                                                                                                              MD5:4E84DF6558C385BC781CDDEA34C9FBA3
                                                                                                              SHA1:6D63D87C19C11BDBFA484A5835FFFFD7647296C8
                                                                                                              SHA-256:0526073F28A3B5999528BFA0E680D668922499124F783F02C52A3B25C367EF6D
                                                                                                              SHA-512:C35DA0744568BFFFEFF09E6590D059E91E5D380C5FEB3A0FBC5B19477CECA007A882884A7033345CE408FCE1DEAC5248AD9B046656478D734FE494B787F8A9F2
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...r.;`.....................$...................@..........................`....................................... ..q............P..................X....@..................................................................$....................text............................... ..`.itext.............................. ..`.data...<...........................@....bss.....5...............................idata..............................@....didata.$...........................@....edata..q.... ......................@..@.rdata..E....0......................@..@.reloc.......@......................@..B.rsrc........P......................@..@.............`......................@..@........................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):9223040
                                                                                                              Entropy (8bit):6.355581719432468
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:196608:vL7NqnDg0293wsNAXayRDfxihAYOjPTJ3kx+q8ZJPyv1wbl3bc2EeJUO9WLcb0K:9lOJDm1Wrc2EeJUO9WLcbN
                                                                                                              MD5:8A9BDA9B9A84BD1551A09B65DFBC0C74
                                                                                                              SHA1:14FB48758D664917D789C21DCCB26D9D987F099F
                                                                                                              SHA-256:1D0F8C96F77C339A5F01822B9375131B0B0A49D6CAC45589CDB4B749DAA79773
                                                                                                              SHA-512:BBFB78B3652532E97F66E2DE7BFBEEFCB59254D9E626C62FF1B2E735AF2549B5483AB07739F6C9A686304C5042CDA79312028293959500BAC2A1EFE91B7732DB
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..f..i.t......!...*.~G...e..0............G...(m..........................j..........@... ......................Pc......`c.0"....c.............x..../....c............................`.S.....................|ec..............................text....}G......~G.................`..`.data...,o....G..p....G.............@....rdata........H..0....G.............@..@/4...........0U......$U.............@..@.bss......... c..........................edata.......Pc.......c.............@..@.idata..0"...`c..$....c.............@....CRT....0.....c......8c.............@....tls..........c......:c.............@....rsrc.........c......<c.............@..@.reloc.......c......@c.............@..B/14..........`f.......e.............@..B/29..........pf.......e.............@..B/41......b...0h..d....g.............@..B/55...........h.......g.............@..B/67..........`i.......h.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):7137640
                                                                                                              Entropy (8bit):6.481515443983134
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:ZRE7yGktThDyt6666666666666666666666666666666x666666666666666fww8:XGktThD0TGh/fTCRwlRvZG3XYBVX1
                                                                                                              MD5:0DF9039CE4896584A206A40F48A07C6A
                                                                                                              SHA1:34F0F9AEFD5E37B6B02D062B8AB967DC0F3D2F21
                                                                                                              SHA-256:1DDE27F0410E59561EAB79A6C8EF6DF2ACEC52E92C9AC646135CD91940F2BE05
                                                                                                              SHA-512:FCF74DD6BF3491D2E56A963ABF028EDA8DF17C11ABB793E6E3DAAD3C1E6C1AEE2F731B23CE243872B588CDF7B1B6382804F6B5204DFFC04F266BE3A329945FA4
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f..T.i......!...*.(E..*Q..:...........@E...0g..........................U.....7.m...@... ......................`P......pP.......P.............`.l../....P..#...........................FH......................rP.L............................text...`.E.......E.................`..`.rodata.@....0E......$E............. ..`.data...,(...@E..*....E.............@....rdata.......pE......XE.............@..@/4......L.....I.......H.............@..@.bss....X9... P..........................edata.......`P.......O.............@..@.idata.......pP.......O.............@....CRT....0.....P.......P.............@....tls..........P.......P.............@....rsrc.........P.......P.............@..@.reloc...#....P..$....P.............@..B/14...........Q......:Q.............@..B/29...........Q......BQ.............@..B/41......Y....S..Z....R.............@..B/55...........S......(S.

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):11132168
                                                                                                              Entropy (8bit):6.740943395722077
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:196608:kngOxqtJKXthIbi0EFrJIj35fGsX1bdXtK:kgOxqtQOUJ85jFhXQ
                                                                                                              MD5:CB9BE257064162076EBD4869CD97E166
                                                                                                              SHA1:49A8CACD48036784A413D63A242ED178BD75CBE9
                                                                                                              SHA-256:8A3822D52B4D460430B9E8E0FA6E6BD2C458598E4DBC2529DF7F2BDF902D2DD2
                                                                                                              SHA-512:013B7E7CCC77531C0D6FA81083B2F16CD0A2B2124105B2F855A478F1F114D3DBA75259B82596645E6BABD91E129E7F7F60AA85ECA32BD95F454B1A8A63B52EFB
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                              • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................H...b#.....DW.......`....@.................................!....@......@..............................RX...@..|................/.......v......................................................t........w...................text............................. ..`.itext...X.......Z................. ..`.data...\....`.......L..............@....bss....................................idata..RX.......Z.................@....didata..w.......x...4..............@....edata..............................@..@.tls....h................................rdata..]...........................@..@.reloc...v.......v..................@..B.rsrc...|....@.......&..............@..@....................................@..@................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21764872
                                                                                                              Entropy (8bit):6.6100525724973656
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:393216:KEpVg+4nw7m2R8VLgZDMwyA7FWBdlY74ZV:tZR8VLg8AGYs
                                                                                                              MD5:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              SHA1:710C0369915390737ED9BC19252F517D2D2939ED
                                                                                                              SHA-256:DE0FA71C1CFF03D657CB65A86072E964060C628AA4EB709CBE914DD772EF298D
                                                                                                              SHA-512:219D6307697CB12FA56020E6B2DC8FF5D13904FD318E2ED3646B294FAA1A613D838D0350E59B911023EA6F6D62CE53E402F975CAD4311D9A7DA58BD675AE2DB6
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                              • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 12%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................4....R.....<N.......P....@..........................`X.......L...@......@...............................b....!.8X7...........K../...0..`............................ ...............................p..:....................text............................... ..`.itext..`........................... ..`.data........P.......8..............@....bss.....................................idata...b.......d..................@....didata.:....p.......8..............@....edata..............................@..@.tls....h................................rdata..].... ......................@..@.reloc..`....0......................@..B.rsrc...8X7...!..Z7.................@..@..............G.......:.............@..@................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):388696
                                                                                                              Entropy (8bit):6.639766301981685
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:YIIDyjBnydesbWoiwS7dVIclCzoqHO/gCaEkkH8TuX6RTrWD4siZMZ+LG4IPWwc8:YI8tiDOzyH9H8Tu6h04fZMZoMPuvfj0h
                                                                                                              MD5:E247666CDEA63DA5A95AEBC135908207
                                                                                                              SHA1:4642F6C3973C41B7D1C9A73111A26C2D7AC9C392
                                                                                                              SHA-256:B419ED0374E3789B4F83D4AF601F796D958E366562A0AAEA5D2F81E82ABDCF33
                                                                                                              SHA-512:06DA11E694D5229783CFB058DCD04D855A1D0758BEEAA97BCD886702A1502D0BF542E7890AA8F2E401BE36CCF70376B5C091A5D328BB1ABE738BC0798AB98A54
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................g......"............#.O...T8.....T8..................T8.....'....................Rich............................PE..L...v..T...........!..... ...........2.......0......................................A...............................@q.......q..........................X........(...1..8............................U..@............0...............................text............ .................. ..`.rdata...J...0...L...$..............@..@.data...H>...........p..............@....rodata.............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1640536
                                                                                                              Entropy (8bit):6.686577023894573
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwww3:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSZ
                                                                                                              MD5:D5C2A6AC30E76B7C9B55ADF1FE5C1E4A
                                                                                                              SHA1:3D841EB48D1A32B511611D4B9E6EED71E2C373EE
                                                                                                              SHA-256:11C7004851E6E6624158990DC8ABE3AA517BCAB708364D469589AD0CA3DBA428
                                                                                                              SHA-512:3C1C7FB535E779AC6C0D5AEF2D4E9239F1C27136468738A0BD8587F91B99365A38808BE31380BE98FD74063D266654A6AC2C2E88861A3FE314A95F1296699E1D
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:J<A[$oA[$oA[$o...o@[$o...o.[$o...op[$o...o.[$o...oC[$o...oL[$oA[%o.[$oA[$op[$o...o@[$oL..o.[$oL..o@[$oL..o@[$oL..o@[$oRichA[$o................PE..L...}..T...........!.........>.......*..............................................5.......................................(............7..............X..............................................@............................................text............................... ..`.rdata..............................@..@.data...$r......."..................@....rodata.............................@..@.rsrc....7.......8...0..............@..@.reloc..............h..............@..B................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):265816
                                                                                                              Entropy (8bit):6.521007214956242
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:MW218gr7s2yIHB0pTPdTX9zUbEbStE97zjAs1RtTcJTfIv0se7POWu/HgsGU1VTl:MWSfr7sXSmPDbKPJ6/AsNk+1x
                                                                                                              MD5:49C51ACE274D7DB13CAA533880869A4A
                                                                                                              SHA1:B539ED2F1A15E2D4E5C933611D736E0C317B8313
                                                                                                              SHA-256:1D6407D7C7FFD2642EA7F97C86100514E8E44F58FF522475CB42BCC43A1B172B
                                                                                                              SHA-512:13440009E2F63078DCE466BF2FE54C60FEB6CEDEED6E9E6FC592189C50B0780543C936786B7051311089F39E9E3CCB67F705C54781C4CAE6D3A8007998BEFBF6
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@~..!..!..!...p...!...p..!...p..+!..M...!..M...!..!...!..M...!..s..!..s..!..s..!..s..!..Rich.!..................PE..L...{..T...........!.........N.......k.......................................0..............................................4...x.......................X......../..................................Ha..@...............l............................text............................... ..`.rdata..v...........................@..@.data....B......."..................@....rsrc...............................@..@.reloc.../.......0..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):373336
                                                                                                              Entropy (8bit):6.7704943019914845
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:faoH9sDRlDLD0GDkEp00tc6TKUOmrRK1jRsAOO04sAO88RtOd:noPH0GgEp0gVd1ValsQXsHOd
                                                                                                              MD5:EDA07083AF5B6608CB5B7C305D787842
                                                                                                              SHA1:D1703C23522D285A3CCDAF7BA2EB837D40608867
                                                                                                              SHA-256:C4683EB09D65D692CA347C0C21F72B086BD2FAF733B13234F3A6B28444457D7D
                                                                                                              SHA-512:BE5879621D544C4E2C4B0A5DB3D93720623E89E841B2982C7F6C99BA58D30167E0DD591A12048ED045F19EC45877AA2EF631B301B903517EFFA17579C4B7C401
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Mm..,...,...,...}...,...}...,...}...,.......,.......,...,..,.......,...~...,...~...,...~...,...~...,..Rich.,..........................PE..L...t..T...........!................b.....................................................@..........................M......@N..d.......0...............X.......d&..................................p/..@...............T............................text...=........................... ..`.rdata...E.......F..................@..@.data...|<...`.......H..............@..._RDATA...............d..............@..@.rsrc...0............j..............@..@.reloc..d&.......(...n..............@..B........................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):880216
                                                                                                              Entropy (8bit):5.239371133407635
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:vTAPYZEyRr+NDnaLyx2lz8MSjtX08pYRc29qcQmsGahsQZsbRN9S:YYF+Eyx2lzujtEIYRc1cQmsGa7ON9S
                                                                                                              MD5:642DC7E57F0C962B9DB4C8FB346BC5A7
                                                                                                              SHA1:ACEE24383B846F7D12521228D69135E5704546F6
                                                                                                              SHA-256:63B4B5DB4A96A8ABEC82B64034F482B433CD4168C960307AC5CC66D2FBF67EDE
                                                                                                              SHA-512:FB163A0CE4E3AD0B0A337F5617A7BF59070DF05CC433B6463384E8687AF3EDC197E447609A0D86FE25BA3EE2717FD470F2620A8FC3A2998A7C3B3A40530D0BAE
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A....u...u...u..C$G.3u..C$y.Iu..C$x..u...V..u...S..u...u..ju...H..u...'}.&u...'D..u...'C..u...'F..u..Rich.u..........................PE..L...s..T...........!.........R..............0......................................:W....@.........................`...........d....P..p............R..X....`...D......................................@............0..T............................text...}........................... ..`.rdata.......0......."..............@..@.data...|<..........................@..._RDATA.......@......................@..@.rsrc...p....P......................@..@.reloc...D...`...F..................@..B........................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8192
                                                                                                              Entropy (8bit):0.363788168458258
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                                              MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                                              SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                                              SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                                              SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                                              Malicious:false
                                                                                                              Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1310720
                                                                                                              Entropy (8bit):1.3107553328820263
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrN:KooCEYhgYEL0In
                                                                                                              MD5:66113683EEFF6CB4718858007ACE3FFE
                                                                                                              SHA1:FFF151D41EAAB51C611A973E97DE8A14E31C7F93
                                                                                                              SHA-256:9BCF307E4CE299241696775FCA227E18710CDA5205291C280BDE480648684A0F
                                                                                                              SHA-512:33BE3766E445493EBFC7A0D61D814C4ECE228CA94787BC2311CDFEECD520E88CB6E6BD145E704998B17ECFCFAF0C35265015ED65CD3576B9FC1CF0F077C7317E
                                                                                                              Malicious:false
                                                                                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0f367cbd, page size 16384, Windows version 10.0
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1310720
                                                                                                              Entropy (8bit):0.42208467235953084
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:3SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:3azag03A2UrzJDO
                                                                                                              MD5:0F8BEAE5FBCA6E40A9752E7C19D0E47B
                                                                                                              SHA1:A9AFDF7F68742911555ECB539036D18C26B42431
                                                                                                              SHA-256:0219956EA22EC10641AB2E62B8990FA13DFBA366689EF54DCC6433C822BE2292
                                                                                                              SHA-512:92FB929C772C43C38E867E94DBE97372485BBA18B603CEDACE0B0A9FB2137183804F5AF905D5777B90155A6D73B2F66ABB43816006A43FF0EF87A9DCEA9E2B71
                                                                                                              Malicious:false
                                                                                                              Preview:.6|.... .......Y.......X\...;...{......................n.%.....:....|..,:...|..h.#.....:....|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................]R:....|..................^.c.:....|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):16384
                                                                                                              Entropy (8bit):0.07528424600951039
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:em/setYe+9pKfWWl//LlteV1uiuulwwl//ollOE/tlnl+/rTc:emdzmpOhl/DlwraulHl/ApMP
                                                                                                              MD5:346B800EEA2A37052A2395672EE6847A
                                                                                                              SHA1:819EC7BAE5A4465FAD64CC97B8ED80F1C7E8E309
                                                                                                              SHA-256:DB472621873ACA08969BE9A08B54353A68209E081B51C67E0841D7FAB4301E5C
                                                                                                              SHA-512:79082A4417C8E5A6FE0BF2ABC37636AC91C0A094D60232B60855CB7DF81A08FFB44DEC5D15D4C45F3B748FC568E53A01995856FE7B50B9D6E1DFF151BEC72A40
                                                                                                              Malicious:false
                                                                                                              Preview:.........................................;...{..,:...|..:....|..........:....|..:....|..%...:....|..................^.c.:....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Remote Manipulator System\Logs\rms_log_2024-12.html

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:HTML document, ASCII text, with CR line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2993
                                                                                                              Entropy (8bit):5.463562083906246
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:SpiroU8xNqcoYERDML6RLi7rNRLigbqNKKkdgIOs7Zto4j2K3is4NGF5FJ:lr0xccoJxML6RLidRLi1ongK1xiNm3
                                                                                                              MD5:E4E74FEFA00EE0A8B97872550E07DCCD
                                                                                                              SHA1:7BDB9273E6E525A921084E41DD065C2DDEB8F7C0
                                                                                                              SHA-256:A0688FCB1FF15B0258090AB9BACCB64BBA92AF3DD85D571B9733E808390F6748
                                                                                                              SHA-512:DF4D921F346A484ECB59B1A25F4560200E3573954D9BEF31A6CB140856A55C61DE0C597FE507364A23472205577EF4D72D796F354D1F56DFB4FE628C68565A68
                                                                                                              Malicious:false
                                                                                                              Preview:<head>.<meta http-equiv="content-type" content="text/html; charset=utf-8" />.<meta name="copyright" content="TektonIT" />.<meta name="description" content="Remote Manipulator System - Server software, event log. Tektonit.com" />.<title>RMS &ndash; host log</title>.<style type="text/css">.body {.font-family: Courier New, monospace;.font-size: 100%;.background-color: #FFFFFF;.} .h1 {.font-size: 130%;.margin: 0px 0px 0px 0px;.} .textarea {.display: none;.margin-top: 5px;.width: 100%;.} ..main_table td {.border: 1px dashed #DADADA;.} ..e_l_0 {.background-color: #4c4cff;.border: 1px solid red;.} ..e_l_1 {.background-color: #fff04c;.border: none;.} ..e_l_2 {.background-color: #ffa94c;.border: none;.} ..e_l_3 {.background-color: #fc2727;.border: none;.} .#log_header td {.font-weight: bold;.} .#subheader {.font-size: 70%;.color: #DADADA;.margin-bottom: 10px;.} .</style>.<script language="javascript">.function show_textarea(elem) {.var parent_node = elem.parentNode;.var nodes = parent_node.chil

                                                                                                              C:\ProgramData\Remote Manipulator System\install.log

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):333
                                                                                                              Entropy (8bit):5.039741216269087
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:oBIkLmKRL/9BIkLdd/ao9BIkLhHujHO7eVVBIkLwmnXjKV9BIkLOLGeXkRLNWy:oBIkfjBIkDSo9BIk9Be/BIkRTiBIk6r+
                                                                                                              MD5:DB6B1F26FA6B988AEFFDFC190750DFE4
                                                                                                              SHA1:4E028B28E7B99A315848770C3889A28F22921B04
                                                                                                              SHA-256:2B82D82363C9976EBB006B2A5B280EC6A25BC98EE1BFA5A9A1DD6FA3CB98C043
                                                                                                              SHA-512:E0A960C51E95F714A327AE61C116F97FC8509D89A8DB2B4093547EA12F93BC97FB7D67AB3C07F61839E26D25B16DB8D3212F028F18FDE590E1600C9004CD7153
                                                                                                              Malicious:false
                                                                                                              Preview:03-12-2024_02:58:57#T:SilentInstall: installation 70270..03-12-2024_02:58:57#T:SilentInstall: NTSetPrivilege:SE_DEBUG_NAME:false. OK..03-12-2024_02:58:57#T:SilentInstall: OpenService: service not found_1. OK..03-12-2024_02:58:57#T:SilentInstall: CreateService. OK..03-12-2024_02:58:57#T:SilentInstall: finished (installation) 70270..

                                                                                                              C:\ProgramData\Remote Manipulator System\msi\70270_{77817ADF-D5EC-49C6-B987-6169BBD5345B}\Word.msi

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26864640
                                                                                                              Entropy (8bit):7.924911310016854
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                              MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                              SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                              SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                              SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):338
                                                                                                              Entropy (8bit):3.4540798801421673
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:kKTYy89k8JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:7P0ckPlE99SCQl2DUevat
                                                                                                              MD5:DD060B1BC768CB1214B4EB5BD36828E1
                                                                                                              SHA1:5507366C32F8AFB7436F6FBF90B512F8A6F01B33
                                                                                                              SHA-256:2560E4F6FE0C88122F9D3B53F9DC8AF4DDBF58FABA1E4B7CC56D2BB43E926DCE
                                                                                                              SHA-512:5F75436D01D722119447EB6E46DC2376F2B3E1F752139CACFDBDB917F97F21667DA2C264B4BB3029A2C9520AB79E6A8BC8F41D6302391117E23F4F0B90207F98
                                                                                                              Malicious:false
                                                                                                              Preview:p...... .........../YE..(...................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                              C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:JSON data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):521377
                                                                                                              Entropy (8bit):4.9084889265453135
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                                              MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                                              SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                                              SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                                              SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                                              Malicious:false
                                                                                                              Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                              C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                                              Category:dropped
                                                                                                              Size (bytes):773040
                                                                                                              Entropy (8bit):6.55939673749297
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                                              MD5:4296A064B917926682E7EED650D4A745
                                                                                                              SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                                              SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                                              SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                                              Malicious:false
                                                                                                              Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2278
                                                                                                              Entropy (8bit):3.839874938955281
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:uiTrlKxsxxJJxl9Il8ucp6PxAWPrQSSpHNU5Q/PBd1rc:vp9YWp6PxZQ5gQXi
                                                                                                              MD5:A83840BD759694F8E52D50E6EDC40017
                                                                                                              SHA1:AA05CC2C7A41309134204B3BDEAB0C29A5F50020
                                                                                                              SHA-256:2D718B5C18B485FE7306B935A941F3409674C82A75FE46EEA635DA687E9DA675
                                                                                                              SHA-512:0A8D08F9C16A616C1FE60072AFC8CA852304CCB9EF7C8CBB6167C86D9A66BC014422D16319670880ABCE93F5D47B7EA93D7149D51153ADC9A57D805076F6A1D4
                                                                                                              Malicious:false
                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.K.e.L.j.2.F.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.n.4.Z.c.h.H.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2684
                                                                                                              Entropy (8bit):3.8995882772562536
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:uiTrlKxJxVxl9Il8uctwD/PUd8mj3g58mVsVk8Bfo4Jm6lNd/vc:wYWtwD0j3MeVycm66
                                                                                                              MD5:7EFA634935D3C1B8DCBF88E869B88C99
                                                                                                              SHA1:03697C16B864A024518BDF0179B1DBCD09CD2C95
                                                                                                              SHA-256:8EFF2344166FBDD434417AED291C7AE9697763A80B1411785C1B333698ECC824
                                                                                                              SHA-512:78F81B833E253DA48A338CE63E6924EB48AAD82701EE981FF9B6E19DDCA01808D13BEA3A72DEE2732CBBE493EC5A94F28727F3EC94C7285810E2D4B2622DD0AB
                                                                                                              Malicious:false
                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".J.T.I.c.p.y.p.k.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.n.4.Z.c.h.H.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4542
                                                                                                              Entropy (8bit):3.9976547747737956
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:MYWY09l0RlgWNbdJybyS4+5QCUdPYlbWJHQI50HVTSzU:Mh9WuEGyS4aUelbWK11T4U
                                                                                                              MD5:CCCCBAFE0C324577AC7C794044282A5A
                                                                                                              SHA1:C87A795A1C735CFCB15D96D10D5AE5EA725C0076
                                                                                                              SHA-256:7BB7C6110FF445BC0DC1D89287C0CBECBB85907D824B03F4D8C260488D48DE18
                                                                                                              SHA-512:8DC4E904F3942927EA1EF3BDCA808F4C959099C21F7D8CD5E4DA8D52B3B34C663DD80F15B2D15EE95407732C7404232C751D054998B7BD8640C6AA180062D3B9
                                                                                                              Malicious:false
                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".9.I.m.N.d.V.l.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.n.4.Z.c.h.H.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C7FF197E.jpeg

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1428x2020, components 3
                                                                                                              Category:dropped
                                                                                                              Size (bytes):217242
                                                                                                              Entropy (8bit):7.641248072397463
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:0yKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGq:0yKKhEKBSf/vv8vyNjz9oltkyY2
                                                                                                              MD5:6CFFBB054A1BD06B3B1018684467A551
                                                                                                              SHA1:347CECCBDFCE4CB2AA96F90735C2F5975E9ABC3F
                                                                                                              SHA-256:E0967AD8F4F2DF25AD1343AABF1C144E48D83BC3E61E2122F5BBF9A83EA63709
                                                                                                              SHA-512:24726671FEFA5228737C2E3E2CC159ECA90CD770022051A07C4C059B5378DA251E70568C956CB00631E12424FF5218E7A9A9BE30B0F4D47C277FC470218F88F0
                                                                                                              Malicious:false
                                                                                                              Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:(......(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C1FE6FE1-F602-4A1D-8977-57FEA5BED477}.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1536
                                                                                                              Entropy (8bit):0.09783851312991518
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:llmn/lLfn:YZn
                                                                                                              MD5:881EE5BD27A267B0F01FD15E90AC4309
                                                                                                              SHA1:39D217D0F4BDE69A9A163E9F6C5728FDE81907F7
                                                                                                              SHA-256:90305EA213DDD5187AC57A744160391E8F9CD88FE8C355170291294739AAE912
                                                                                                              SHA-512:870D03A7DE2D66778F5199708387802196419BCA134EF50F6279715EC0EEFCB01AAE209ABCB790397A855301409EC6403A3B002214CB5B07153AD4CBD7B556B7
                                                                                                              Malicious:false
                                                                                                              Preview:../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733212722165103500_A6C4B39A-2BE5-4057-A53B-D4796EF97CD8.log

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20971520
                                                                                                              Entropy (8bit):0.015323242247846756
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:ywTuT3WODAm3SjVg9k9XYNURZNzsCE+ocK9BE:hK
                                                                                                              MD5:35CC78D8D787E1EF547E341C5117FB2F
                                                                                                              SHA1:EF5DDE67CD62796C18CED4858BBF2AF2DD08A1D8
                                                                                                              SHA-256:0D21C80B9BA5520F8D562BDD116188F383A0D4D2E4B59CCDF7E02771C05C7C00
                                                                                                              SHA-512:E08B614FF0BD2A7B5A26FE1E23263970F7860143A4ACB16BA226CA46107FC93A7250C36BD7108CD85209317026DDD7518FF8AAD9FBF98E57EB093A2B362C2147
                                                                                                              Malicious:false
                                                                                                              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/03/2024 07:58:42.463.WINWORD (0xD08).0x1998.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-03T07:58:42.463Z","Contract":"Office.System.Activity","Activity.CV":"mrPEpuUrV0ClO9R5bvl82A.7.1","Activity.Duration":291,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/03/2024 07:58:42.478.WINWORD (0xD08).0x1998.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-03T07:58:42.478Z","Contract":"Office.System.Activity","Activity.CV":"mrPEpuUrV0ClO9R5bvl82A.7","Activity.Duration":4611,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureDia

                                                                                                              C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733212722166669200_A6C4B39A-2BE5-4057-A53B-D4796EF97CD8.log

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20971520
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                              Malicious:false
                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD116B.tmp\Mesh.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3078052
                                                                                                              Entropy (8bit):7.954129852655753
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                              MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                              SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                              SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                              SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD116B.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):274
                                                                                                              Entropy (8bit):3.5303110391598502
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                                              MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                                              SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                                              SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                                              SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1229.tmp\Main_Event.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2924237
                                                                                                              Entropy (8bit):7.970803022812704
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                              MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                              SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                              SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                              SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1229.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):286
                                                                                                              Entropy (8bit):3.5434534344080606
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                                              MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                                              SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                                              SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                                              SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD143.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):292
                                                                                                              Entropy (8bit):3.5026803317779778
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                                              SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                                              SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                                              SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD143.tmp\gosttitle.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):251032
                                                                                                              Entropy (8bit):5.102652100491927
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                              MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                              SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                              SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                              SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD173C.tmp\Vapor_Trail.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3611324
                                                                                                              Entropy (8bit):7.965784120725206
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                              MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                              SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                              SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                              SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD173C.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):288
                                                                                                              Entropy (8bit):3.5359188337181853
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                                              MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                                              SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                                              SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                                              SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD17EA.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:modified
                                                                                                              Size (bytes):274
                                                                                                              Entropy (8bit):3.4699940532942914
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                                              MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                                              SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                                              SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                                              SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD17EA.tmp\Insight design set.dotx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3465076
                                                                                                              Entropy (8bit):7.898517227646252
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                              MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                              SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                              SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                              SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD18.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):374
                                                                                                              Entropy (8bit):3.5414485333689694
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                                              MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                                              SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                                              SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                                              SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD18.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):47296
                                                                                                              Entropy (8bit):6.42327948041841
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                              MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                              SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                              SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                              SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                              Malicious:false
                                                                                                              Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D1.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):332
                                                                                                              Entropy (8bit):3.4871192480632223
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                                              SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                                              SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                                              SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D1.tmp\mlaseventheditionofficeonline.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254875
                                                                                                              Entropy (8bit):5.003842588822783
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                              MD5:377B3E355414466F3E3861BCE1844976
                                                                                                              SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                              SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                              SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D2.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):288
                                                                                                              Entropy (8bit):3.523917709458511
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                                              SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                                              SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                                              SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D2.tmp\chicago.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):296658
                                                                                                              Entropy (8bit):5.000002997029767
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                              MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                              SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                              SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                              SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D3.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254
                                                                                                              Entropy (8bit):3.4721586910685547
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                                              MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                                              SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                                              SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                                              SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1D3.tmp\chevronaccent.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4243
                                                                                                              Entropy (8bit):7.824383764848892
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                              MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                              SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                              SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                              SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                              Malicious:false
                                                                                                              Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1F4.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):252
                                                                                                              Entropy (8bit):3.4680595384446202
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                                              MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                                              SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                                              SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                                              SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD1F4.tmp\architecture.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5783
                                                                                                              Entropy (8bit):7.88616857639663
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                              MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                              SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                              SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                              SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD22C.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):242
                                                                                                              Entropy (8bit):3.4938093034530917
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                                              MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                                              SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                                              SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                                              SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD22C.tmp\TabList.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4888
                                                                                                              Entropy (8bit):7.8636569313247335
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                              MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                              SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                              SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                              SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD22D.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):278
                                                                                                              Entropy (8bit):3.5280239200222887
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                                              SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                                              SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                                              SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD22D.tmp\gb.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):268317
                                                                                                              Entropy (8bit):5.05419861997223
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                              MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                              SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                              SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                              SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD23E.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):252
                                                                                                              Entropy (8bit):3.48087342759872
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                                              MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                                              SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                                              SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                                              SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD23E.tmp\PictureFrame.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4326
                                                                                                              Entropy (8bit):7.821066198539098
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                              MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                              SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                              SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                              SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD240.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):258
                                                                                                              Entropy (8bit):3.4692172273306268
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                                              MD5:C1B36A0547FB75445957A619201143AC
                                                                                                              SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                                              SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                                              SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD240.tmp\pictureorgchart.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):7370
                                                                                                              Entropy (8bit):7.9204386289679745
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                              MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                              SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                              SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                              SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                              Malicious:false
                                                                                                              Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD252.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):332
                                                                                                              Entropy (8bit):3.547857457374301
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                                              SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                                              SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                                              SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD252.tmp\harvardanglia2008officeonline.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):284415
                                                                                                              Entropy (8bit):5.00549404077789
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                              MD5:33A829B4893044E1851725F4DAF20271
                                                                                                              SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                              SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                              SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD263.tmp\CircleProcess.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):16806
                                                                                                              Entropy (8bit):7.9519793977093505
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                              MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                              SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                              SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                              SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD263.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254
                                                                                                              Entropy (8bit):3.4720677950594836
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                                              MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                                              SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                                              SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                                              SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD264.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):314
                                                                                                              Entropy (8bit):3.5230842510951934
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                                              SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                                              SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                                              SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD264.tmp\ieee2006officeonline.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):294178
                                                                                                              Entropy (8bit):4.977758311135714
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                              MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                              SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                              SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                              SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD28F.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):238
                                                                                                              Entropy (8bit):3.472155835869843
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                                              MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                                              SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                                              SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                                              SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD28F.tmp\rings.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5151
                                                                                                              Entropy (8bit):7.859615916913808
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                              MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                              SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                              SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                              SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2A0.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):290
                                                                                                              Entropy (8bit):3.5081874837369886
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                                              SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                                              SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                                              SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2A0.tmp\gostname.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):255948
                                                                                                              Entropy (8bit):5.103631650117028
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                              MD5:9888A214D362470A6189DEFF775BE139
                                                                                                              SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                              SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                              SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2B1.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):260
                                                                                                              Entropy (8bit):3.494357416502254
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                                              MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                                              SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                                              SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                                              SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2B1.tmp\ThemePictureGrid.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6193
                                                                                                              Entropy (8bit):7.855499268199703
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                              MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                              SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                              SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                              SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                              Malicious:false
                                                                                                              Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2D3.tmp\APASixthEditionOfficeOnline.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):333258
                                                                                                              Entropy (8bit):4.654450340871081
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                              MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                              SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                              SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                              SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2D3.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):328
                                                                                                              Entropy (8bit):3.541819892045459
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                                              SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                                              SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                                              SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2E3.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):260
                                                                                                              Entropy (8bit):3.4895685222798054
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                                              MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                                              SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                                              SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                                              SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2E3.tmp\VaryingWidthList.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3075
                                                                                                              Entropy (8bit):7.716021191059687
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                              MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                              SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                              SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                              SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2E4.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):286
                                                                                                              Entropy (8bit):3.5502940710609354
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                                              SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                                              SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                                              SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD2E4.tmp\iso690.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):270198
                                                                                                              Entropy (8bit):5.073814698282113
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                              MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                              SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                              SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                              SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD305.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):290
                                                                                                              Entropy (8bit):3.5161159456784024
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                                              SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                                              SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                                              SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD305.tmp\turabian.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):344303
                                                                                                              Entropy (8bit):5.023195898304535
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                              MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                              SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                              SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                              SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD315.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):262
                                                                                                              Entropy (8bit):3.4901887319218092
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                                              MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                                              SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                                              SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                                              SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD315.tmp\RadialPictureList.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5596
                                                                                                              Entropy (8bit):7.875182123405584
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                              MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                              SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                              SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                              SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD326.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):280
                                                                                                              Entropy (8bit):3.484503080761839
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                                              MD5:1309D172F10DD53911779C89A06BBF65
                                                                                                              SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                                              SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                                              SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD326.tmp\InterconnectedBlockProcess.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):9191
                                                                                                              Entropy (8bit):7.93263830735235
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                              MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                              SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                              SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                              SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD337.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254
                                                                                                              Entropy (8bit):3.4845992218379616
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                                              MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                                              SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                                              SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                                              SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD337.tmp\HexagonRadial.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6024
                                                                                                              Entropy (8bit):7.886254023824049
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                              MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                              SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                              SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                              SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD347.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):264
                                                                                                              Entropy (8bit):3.4866056878458096
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                                              MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                                              SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                                              SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                                              SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD347.tmp\ThemePictureAccent.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6448
                                                                                                              Entropy (8bit):7.897260397307811
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                              MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                              SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                              SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                              SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD387.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):246
                                                                                                              Entropy (8bit):3.5039994158393686
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                                              MD5:16711B951E1130126E240A6E4CC2E382
                                                                                                              SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                                              SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                                              SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD387.tmp\TabbedArc.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3683
                                                                                                              Entropy (8bit):7.772039166640107
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                              MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                              SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                              SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                              SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD397.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):286
                                                                                                              Entropy (8bit):3.4670546921349774
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                                              MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                                              SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                                              SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                                              SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD397.tmp\ThemePictureAlternatingAccent.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5630
                                                                                                              Entropy (8bit):7.87271654296772
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                              MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                              SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                              SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                              SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                              Malicious:false
                                                                                                              Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E6.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):274
                                                                                                              Entropy (8bit):3.438490642908344
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                                              MD5:0F98498818DC28E82597356E2650773C
                                                                                                              SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                                              SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                                              SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E6.tmp\Element design set.dotx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):34415
                                                                                                              Entropy (8bit):7.352974342178997
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                              MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                              SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                              SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                              SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E7.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):302
                                                                                                              Entropy (8bit):3.537169234443227
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                                              SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                                              SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                                              SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E7.tmp\iso690nmerical.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):217137
                                                                                                              Entropy (8bit):5.068335381017074
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                              MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                              SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                              SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                              SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E9.tmp\BracketList.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4026
                                                                                                              Entropy (8bit):7.809492693601857
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                              MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                              SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                              SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                              SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                              Malicious:false
                                                                                                              Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3E9.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):250
                                                                                                              Entropy (8bit):3.4916022431157345
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                                              MD5:1A314B08BB9194A41E3794EF54017811
                                                                                                              SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                                              SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                                              SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3EB.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):256
                                                                                                              Entropy (8bit):3.4842773155694724
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                                              MD5:923D406B2170497AD4832F0AD3403168
                                                                                                              SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                                              SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                                              SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD3EB.tmp\ConvergingText.glox

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):11380
                                                                                                              Entropy (8bit):7.891971054886943
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                              MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                              SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                              SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                              SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD41D.tmp\View.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):486596
                                                                                                              Entropy (8bit):7.668294441507828
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                              MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                              SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                              SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                              SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD41D.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):274
                                                                                                              Entropy (8bit):3.535303979138867
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                                                                              MD5:35AFE8D8724F3E19EB08274906926A0B
                                                                                                              SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                                                                              SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                                                                              SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD42F.tmp\Parcel.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):608122
                                                                                                              Entropy (8bit):7.729143855239127
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                              MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                              SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                              SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                              SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD42F.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):278
                                                                                                              Entropy (8bit):3.516359852766808
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                                              MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                                              SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                                              SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                                              SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD430.tmp\Metropolitan.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):777647
                                                                                                              Entropy (8bit):7.689662652914981
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                              MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                              SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                              SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                              SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD430.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):290
                                                                                                              Entropy (8bit):3.5091498509646044
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                                              MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                                              SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                                              SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                                              SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD452.tmp\Frame.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):523048
                                                                                                              Entropy (8bit):7.715248170753013
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                              MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                              SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                              SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                              SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD452.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):276
                                                                                                              Entropy (8bit):3.5159096381406645
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                                              MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                                              SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                                              SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                                              SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD463.tmp\Dividend.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):570901
                                                                                                              Entropy (8bit):7.674434888248144
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                              MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                              SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                              SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                              SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD463.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):282
                                                                                                              Entropy (8bit):3.5459495297497368
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                                                                              MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                                                                              SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                                                                              SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                                                                              SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD473.tmp\Basis.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):558035
                                                                                                              Entropy (8bit):7.696653383430889
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                              MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                              SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                              SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                              SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD473.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):276
                                                                                                              Entropy (8bit):3.5361139545278144
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                                              MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                                              SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                                              SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                                              SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD48.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):286
                                                                                                              Entropy (8bit):3.538396048757031
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                                              MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                                              SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                                              SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                                              SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD48.tmp\sist02.xsl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):250983
                                                                                                              Entropy (8bit):5.057714239438731
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                              MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                              SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                              SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                              SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD494.tmp\Banded.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):562113
                                                                                                              Entropy (8bit):7.67409707491542
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                              MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                              SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                              SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                              SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD494.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):278
                                                                                                              Entropy (8bit):3.535736910133401
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                                              MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                                              SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                                              SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                                              SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD4F3.tmp\Parallax.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):924687
                                                                                                              Entropy (8bit):7.824849396154325
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                              MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                              SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                              SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                              SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD4F3.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):282
                                                                                                              Entropy (8bit):3.51145753448333
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                                              MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                                              SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                                              SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                                              SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD5A1.tmp\Wood_Type.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1649585
                                                                                                              Entropy (8bit):7.875240099125746
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                              MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                              SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                              SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                              SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD5A1.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):284
                                                                                                              Entropy (8bit):3.5552837910707304
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                                              MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                                              SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                                              SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                                              SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD5F2.tmp\Quotable.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):966946
                                                                                                              Entropy (8bit):7.8785200658952
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                              MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                              SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                              SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                              SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD5F2.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):282
                                                                                                              Entropy (8bit):3.5323495192404475
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                                              MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                                              SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                                              SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                                              SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD603.tmp\Berlin.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):976001
                                                                                                              Entropy (8bit):7.791956689344336
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                              MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                              SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                              SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                              SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD603.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):278
                                                                                                              Entropy (8bit):3.5270134268591966
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                                              MD5:327DA4A5C757C0F1449976BE82653129
                                                                                                              SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                                              SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                                              SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD7.tmp\Content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):256
                                                                                                              Entropy (8bit):3.464918006641019
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                                              MD5:93149E194021B37162FD86684ED22401
                                                                                                              SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                                              SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                                              SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                                              Malicious:false
                                                                                                              Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD7.tmp\Equations.dotx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):51826
                                                                                                              Entropy (8bit):5.541375256745271
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                              MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                              SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                              SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                              SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD73E.tmp\Gallery.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1091485
                                                                                                              Entropy (8bit):7.906659368807194
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                              MD5:2192871A20313BEC581B277E405C6322
                                                                                                              SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                              SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                              SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                              Malicious:false
                                                                                                              Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD73E.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):280
                                                                                                              Entropy (8bit):3.5301133500353727
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                                              MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                                              SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                                              SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                                              SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD7DC.tmp\Savon.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1204049
                                                                                                              Entropy (8bit):7.92476783994848
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                              MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                              SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                              SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                              SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD7DC.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):276
                                                                                                              Entropy (8bit):3.5364757859412563
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                                              MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                                              SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                                              SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                                              SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD81C.tmp\Circuit.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1463634
                                                                                                              Entropy (8bit):7.898382456989258
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                              MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                              SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                              SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                              SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD81C.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):280
                                                                                                              Entropy (8bit):3.5286004619027067
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                                              MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                                              SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                                              SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                                              SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD9E3.tmp\Droplet.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1750795
                                                                                                              Entropy (8bit):7.892395931401988
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                              MD5:529795E0B55926752462CBF32C14E738
                                                                                                              SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                              SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                              SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCD9E3.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):280
                                                                                                              Entropy (8bit):3.528155916440219
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                                              MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                                              SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                                              SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                                              SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCDC76.tmp\Slate.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2357051
                                                                                                              Entropy (8bit):7.929430745829162
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                              MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                              SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                              SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                              SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Local\Temp\TCDC76.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):276
                                                                                                              Entropy (8bit):3.516423078177173
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                                              MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                                              SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                                              SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                                              SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\TCDD24.tmp\Damask.thmx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2218943
                                                                                                              Entropy (8bit):7.942378408801199
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                              MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                              SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                              SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                              SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                              C:\Users\user\AppData\Local\Temp\TCDD24.tmp\content.inf

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):278
                                                                                                              Entropy (8bit):3.544065206514744
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                                              MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                                              SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                                              SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                                              SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                                              Malicious:false
                                                                                                              Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab10ED.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2591108
                                                                                                              Entropy (8bit):7.999030891647433
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                                              MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                                              SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                                              SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                                              SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab11BA.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2527736
                                                                                                              Entropy (8bit):7.992272975565323
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                                              MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                                              SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                                              SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                                              SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                                              C:\Users\user\AppData\Local\Temp\cab1595.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3256855
                                                                                                              Entropy (8bit):7.996842935632312
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                                              MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                                              SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                                              SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                                              SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                                              C:\Users\user\AppData\Local\Temp\cab174C.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3417042
                                                                                                              Entropy (8bit):7.997652455069165
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                                              MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                                              SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                                              SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                                              SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                                              C:\Users\user\AppData\Local\Temp\cab19.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31471
                                                                                                              Entropy (8bit):7.818389271364328
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                                              MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                                              SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                                              SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                                              SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab1E4.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22008
                                                                                                              Entropy (8bit):7.662386258803613
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                                              MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                                              SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                                              SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                                              SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                                              C:\Users\user\AppData\Local\Temp\cab205.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):34816
                                                                                                              Entropy (8bit):7.840826397575377
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                                              MD5:62863124CDCDA135ECC0E722782CB888
                                                                                                              SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                                              SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                                              SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                                              C:\Users\user\AppData\Local\Temp\cab206.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31835
                                                                                                              Entropy (8bit):7.81952379746457
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                                              MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                                              SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                                              SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                                              SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                                              C:\Users\user\AppData\Local\Temp\cab207.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20554
                                                                                                              Entropy (8bit):7.612044504501488
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                                              MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                                              SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                                              SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                                              SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab208.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21111
                                                                                                              Entropy (8bit):7.6297992466897675
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                                              MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                                              SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                                              SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                                              SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab209.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):23597
                                                                                                              Entropy (8bit):7.692965575678876
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                                              MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                                              SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                                              SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                                              SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                                              C:\Users\user\AppData\Local\Temp\cab20A.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31562
                                                                                                              Entropy (8bit):7.81640835713744
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                                              MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                                              SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                                              SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                                              SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab21B.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):19288
                                                                                                              Entropy (8bit):7.570850633867256
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                                              MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                                              SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                                              SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                                              SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                                              C:\Users\user\AppData\Local\Temp\cab21C.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32833
                                                                                                              Entropy (8bit):7.825460303519308
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                                              MD5:205AF51604EF96EF1E8E60212541F742
                                                                                                              SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                                              SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                                              SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                                              C:\Users\user\AppData\Local\Temp\cab23F.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31083
                                                                                                              Entropy (8bit):7.814202819173796
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                                              MD5:89A9818E6658D73A73B642522FF8701F
                                                                                                              SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                                              SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                                              SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                                              C:\Users\user\AppData\Local\Temp\cab241.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):35519
                                                                                                              Entropy (8bit):7.846686335981972
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                                              MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                                              SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                                              SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                                              SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                                              C:\Users\user\AppData\Local\Temp\cab242.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):28911
                                                                                                              Entropy (8bit):7.7784119983764715
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                                              MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                                              SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                                              SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                                              SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab275.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22340
                                                                                                              Entropy (8bit):7.668619892503165
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                                              MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                                              SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                                              SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                                              SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                                              C:\Users\user\AppData\Local\Temp\cab276.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21357
                                                                                                              Entropy (8bit):7.641082043198371
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                                              MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                                              SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                                              SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                                              SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab277.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21875
                                                                                                              Entropy (8bit):7.6559132103953305
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                                              MD5:E532038762503FFA1371DF03FA2E222D
                                                                                                              SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                                              SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                                              SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                                              C:\Users\user\AppData\Local\Temp\cab278.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31605
                                                                                                              Entropy (8bit):7.820497014278096
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                                              MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                                              SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                                              SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                                              SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab279.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):30957
                                                                                                              Entropy (8bit):7.808231503692675
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                                              MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                                              SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                                              SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                                              SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27A.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22594
                                                                                                              Entropy (8bit):7.674816892242868
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                                              MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                                              SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                                              SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                                              SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27B.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26944
                                                                                                              Entropy (8bit):7.7574645319832225
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                                              MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                                              SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                                              SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                                              SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27C.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22149
                                                                                                              Entropy (8bit):7.659898883631361
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                                              MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                                              SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                                              SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                                              SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27D.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):21791
                                                                                                              Entropy (8bit):7.65837691872985
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                                              MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                                              SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                                              SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                                              SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27E.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):19893
                                                                                                              Entropy (8bit):7.592090622603185
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                                              MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                                              SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                                              SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                                              SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                                              C:\Users\user\AppData\Local\Temp\cab27F.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):42788
                                                                                                              Entropy (8bit):7.89307894056
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                                              MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                                              SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                                              SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                                              SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                                              C:\Users\user\AppData\Local\Temp\cab2C1.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):25314
                                                                                                              Entropy (8bit):7.729848360340861
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                                              MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                                              SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                                              SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                                              SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab2C2.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20235
                                                                                                              Entropy (8bit):7.61176626859621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                                              MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                                              SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                                              SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                                              SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                                              C:\Users\user\AppData\Local\Temp\cab3E8.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):222992
                                                                                                              Entropy (8bit):7.994458910952451
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                                                                              MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                                                                              SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                                                                              SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                                                                              SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab3EA.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):261258
                                                                                                              Entropy (8bit):7.99541965268665
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                                              MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                                              SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                                              SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                                              SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                                              C:\Users\user\AppData\Local\Temp\cab3EC.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):230916
                                                                                                              Entropy (8bit):7.994759087207758
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                                              MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                                              SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                                              SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                                              SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab40D.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):271273
                                                                                                              Entropy (8bit):7.995547668305345
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                                              MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                                              SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                                              SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                                              SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                                              C:\Users\user\AppData\Local\Temp\cab41E.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):276650
                                                                                                              Entropy (8bit):7.995561338730199
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                                                                              MD5:84D8F3848E7424CBE3801F9570E05018
                                                                                                              SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                                                                              SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                                                                              SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                                              C:\Users\user\AppData\Local\Temp\cab431.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):295527
                                                                                                              Entropy (8bit):7.996203550147553
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                                              MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                                              SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                                              SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                                              SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                                              C:\Users\user\AppData\Local\Temp\cab432.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):307348
                                                                                                              Entropy (8bit):7.996451393909308
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                                                                              MD5:0EBC45AA0E67CC435D0745438371F948
                                                                                                              SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                                                                              SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                                                                              SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                                              C:\Users\user\AppData\Local\Temp\cab4D3.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):550906
                                                                                                              Entropy (8bit):7.998289614787931
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                                              MD5:1C12315C862A745A647DAD546EB4267E
                                                                                                              SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                                              SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                                              SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                                              C:\Users\user\AppData\Local\Temp\cab571.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):723359
                                                                                                              Entropy (8bit):7.997550445816903
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                                              MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                                              SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                                              SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                                              SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                                              C:\Users\user\AppData\Local\Temp\cab5A2.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):698244
                                                                                                              Entropy (8bit):7.997838239368002
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                                              MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                                              SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                                              SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                                              SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                                              C:\Users\user\AppData\Local\Temp\cab5A3.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):640684
                                                                                                              Entropy (8bit):7.99860205353102
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                                              MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                                              SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                                              SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                                              SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                                              C:\Users\user\AppData\Local\Temp\cab6DF.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):953453
                                                                                                              Entropy (8bit):7.99899040756787
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                                              MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                                              SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                                              SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                                              SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                                              C:\Users\user\AppData\Local\Temp\cab7AC.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1065873
                                                                                                              Entropy (8bit):7.998277814657051
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                                              MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                                              SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                                              SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                                              SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                                              C:\Users\user\AppData\Local\Temp\cab7EC.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1097591
                                                                                                              Entropy (8bit):7.99825462915052
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                                              MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                                              SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                                              SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                                              SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                                              C:\Users\user\AppData\Local\Temp\cab9A4.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1310275
                                                                                                              Entropy (8bit):7.9985829899274385
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                                              MD5:9C9F49A47222C18025CC25575337A965
                                                                                                              SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                                              SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                                              SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                                              C:\Users\user\AppData\Local\Temp\cabB5B.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1766185
                                                                                                              Entropy (8bit):7.9991290831091115
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                                              MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                                              SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                                              SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                                              SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                                              C:\Users\user\AppData\Local\Temp\cabCD4.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1881952
                                                                                                              Entropy (8bit):7.999066394602922
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                                              MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                                              SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                                              SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                                              SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFF74.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31482
                                                                                                              Entropy (8bit):7.808057272318224
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                                              MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                                              SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                                              SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                                              SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFFC3.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31008
                                                                                                              Entropy (8bit):7.806058951525675
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                                              MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                                              SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                                              SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                                              SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFFC4.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):33610
                                                                                                              Entropy (8bit):7.8340762758330476
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                                              MD5:51804E255C573176039F4D5B55C12AB2
                                                                                                              SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                                              SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                                              SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFFC5.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):43653
                                                                                                              Entropy (8bit):7.899157106666598
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                                              MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                                              SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                                              SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                                              SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFFC6.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20457
                                                                                                              Entropy (8bit):7.612540359660869
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                                              MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                                              SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                                              SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                                              SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                                              C:\Users\user\AppData\Local\Temp\cabFFD7.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                              Category:dropped
                                                                                                              Size (bytes):46413
                                                                                                              Entropy (8bit):7.9071408623961394
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                                              MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                                              SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                                              SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                                              SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                                              Malicious:false
                                                                                                              Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):30
                                                                                                              Entropy (8bit):1.2389205950315936
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:NVrt:
                                                                                                              MD5:0F17C3DC027FDD98756BA46ED2ECFFA9
                                                                                                              SHA1:4272400848F7DBE251D045480C1B646D800C2B0E
                                                                                                              SHA-256:B84F176E34205C685DC12BF069084D343C83896E961AD7BB9659A0A70B2A73F3
                                                                                                              SHA-512:B834B9FC6D2CBECDE8A28C2C1E98C55F4DF7B207FF3C592345FBFF4E3D9AE828E6821F06EFDCFE14895D7FF23D7DE2548FB0A9A792B0D693069FFD71E84BD80B
                                                                                                              Malicious:false
                                                                                                              Preview:....z.........................

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 3 06:58:38 2024, mtime=Tue Dec 3 06:58:43 2024, atime=Mon Dec 2 20:13:15 2024, length=230038, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):600
                                                                                                              Entropy (8bit):4.547429898539797
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:4xtQl3UiuJUatl0kl//QMLysvq/Rsxt+IcccljAlxx23LXlIRo3wGim6qnavGmZ7:8NiuJZl0sXQKIgucUjAULXlrF6qnBmV
                                                                                                              MD5:2A9AD72442594D5D691F0A10A8C2F9B3
                                                                                                              SHA1:4129DE74709ED49447F632CD6FF5314D5AE7EDCA
                                                                                                              SHA-256:8B34D6183F52346942C6B63290371EB979391EC2AD2F4D686257B5AEC05AC647
                                                                                                              SHA-512:76BE77B7FE4F6CF546DE2015B8A7615A512AC47B495BC189AF260A3823BA8315FCE8CBD0F055E930ADE179524A4EDB09C3A38EE890F5A7F699A76804EEDDEDCF
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.... ......)YE....,YE......D...............................P.O. .:i.....+00.../C:\...................P.1......YT?..intel.<......YT?.YT?..........................N1..i.n.t.e.l.....Z.2......Y.. .DOC~1.DOC.B......YT?.YT?..........................,dE.D.o.c...d.o.c.x.......@...............-.......?............F.......C:\intel\Doc.docx..#.....\.....\.....\.....\.....\.....\.....\.i.n.t.e.l.\.D.o.c...d.o.c.x.`.......X.......494126...........hT..CrF.f4... .b.T..b...,.......hT..CrF.f4... .b.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Generic INItialization configuration [folders]
                                                                                                              Category:dropped
                                                                                                              Size (bytes):41
                                                                                                              Entropy (8bit):4.247557492317427
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:HqdLBCm4UcBCv:HA9hGs
                                                                                                              MD5:CE7BCCD008058E0D96C85995FABBDC9F
                                                                                                              SHA1:939A8927196DC4C5E90B32234C1484B72052F5A1
                                                                                                              SHA-256:2AD83E8B46EF787ABC53DC07C6D648975AF14441067BCC46017DA2B1A3DEE6CC
                                                                                                              SHA-512:6D2B32C16C0B0E330EDC39C20F0666CC128F5A16D82E34837D7951FE71E02B8A5BA20CD3F0ECAA58D570B110FFCCA113FC87D4CA5C4ACBE3B557B21F20CAB872
                                                                                                              Malicious:false
                                                                                                              Preview:[misc]..Doc.LNK=0..[folders]..Doc.LNK=0..

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):562113
                                                                                                              Entropy (8bit):7.67409707491542
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                              MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                              SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                              SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                              SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1649585
                                                                                                              Entropy (8bit):7.875240099125746
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                              MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                              SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                              SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                              SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):558035
                                                                                                              Entropy (8bit):7.696653383430889
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                              MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                              SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                              SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                              SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):570901
                                                                                                              Entropy (8bit):7.674434888248144
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                              MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                              SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                              SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                              SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):523048
                                                                                                              Entropy (8bit):7.715248170753013
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                              MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                              SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                              SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                              SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3078052
                                                                                                              Entropy (8bit):7.954129852655753
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                              MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                              SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                              SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                              SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):777647
                                                                                                              Entropy (8bit):7.689662652914981
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                              MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                              SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                              SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                              SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):924687
                                                                                                              Entropy (8bit):7.824849396154325
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                              MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                              SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                              SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                              SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):966946
                                                                                                              Entropy (8bit):7.8785200658952
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                              MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                              SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                              SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                              SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1204049
                                                                                                              Entropy (8bit):7.92476783994848
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                              MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                              SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                              SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                              SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):486596
                                                                                                              Entropy (8bit):7.668294441507828
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                              MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                              SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                              SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                              SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):976001
                                                                                                              Entropy (8bit):7.791956689344336
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                              MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                              SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                              SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                              SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1463634
                                                                                                              Entropy (8bit):7.898382456989258
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                              MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                              SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                              SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                              SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2218943
                                                                                                              Entropy (8bit):7.942378408801199
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                              MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                              SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                              SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                              SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1750795
                                                                                                              Entropy (8bit):7.892395931401988
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                              MD5:529795E0B55926752462CBF32C14E738
                                                                                                              SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                              SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                              SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2924237
                                                                                                              Entropy (8bit):7.970803022812704
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                              MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                              SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                              SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                              SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2357051
                                                                                                              Entropy (8bit):7.929430745829162
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                              MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                              SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                              SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                              SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3611324
                                                                                                              Entropy (8bit):7.965784120725206
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                              MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                              SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                              SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                              SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1091485
                                                                                                              Entropy (8bit):7.906659368807194
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                              MD5:2192871A20313BEC581B277E405C6322
                                                                                                              SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                              SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                              SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                              Malicious:false
                                                                                                              Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):608122
                                                                                                              Entropy (8bit):7.729143855239127
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                              MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                              SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                              SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                              SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5783
                                                                                                              Entropy (8bit):7.88616857639663
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                              MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                              SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                              SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                              SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4026
                                                                                                              Entropy (8bit):7.809492693601857
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                              MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                              SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                              SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                              SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                              Malicious:false
                                                                                                              Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4243
                                                                                                              Entropy (8bit):7.824383764848892
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                              MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                              SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                              SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                              SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                              Malicious:false
                                                                                                              Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):16806
                                                                                                              Entropy (8bit):7.9519793977093505
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                              MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                              SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                              SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                              SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):11380
                                                                                                              Entropy (8bit):7.891971054886943
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                              MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                              SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                              SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                              SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6024
                                                                                                              Entropy (8bit):7.886254023824049
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                              MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                              SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                              SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                              SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):9191
                                                                                                              Entropy (8bit):7.93263830735235
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                              MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                              SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                              SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                              SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4326
                                                                                                              Entropy (8bit):7.821066198539098
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                              MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                              SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                              SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                              SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):7370
                                                                                                              Entropy (8bit):7.9204386289679745
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                              MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                              SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                              SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                              SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                              Malicious:false
                                                                                                              Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5596
                                                                                                              Entropy (8bit):7.875182123405584
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                              MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                              SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                              SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                              SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3683
                                                                                                              Entropy (8bit):7.772039166640107
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                              MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                              SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                              SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                              SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4888
                                                                                                              Entropy (8bit):7.8636569313247335
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                              MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                              SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                              SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                              SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6448
                                                                                                              Entropy (8bit):7.897260397307811
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                              MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                              SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                              SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                              SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5630
                                                                                                              Entropy (8bit):7.87271654296772
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                              MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                              SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                              SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                              SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                              Malicious:false
                                                                                                              Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6193
                                                                                                              Entropy (8bit):7.855499268199703
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                              MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                              SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                              SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                              SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                              Malicious:false
                                                                                                              Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3075
                                                                                                              Entropy (8bit):7.716021191059687
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                              MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                              SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                              SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                              SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft OOXML
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5151
                                                                                                              Entropy (8bit):7.859615916913808
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                              MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                              SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                              SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                              SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):333258
                                                                                                              Entropy (8bit):4.654450340871081
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                              MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                              SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                              SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                              SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):296658
                                                                                                              Entropy (8bit):5.000002997029767
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                              MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                              SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                              SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                              SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):268317
                                                                                                              Entropy (8bit):5.05419861997223
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                              MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                              SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                              SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                              SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):255948
                                                                                                              Entropy (8bit):5.103631650117028
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                              MD5:9888A214D362470A6189DEFF775BE139
                                                                                                              SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                              SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                              SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):251032
                                                                                                              Entropy (8bit):5.102652100491927
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                              MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                              SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                              SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                              SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):284415
                                                                                                              Entropy (8bit):5.00549404077789
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                              MD5:33A829B4893044E1851725F4DAF20271
                                                                                                              SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                              SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                              SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):294178
                                                                                                              Entropy (8bit):4.977758311135714
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                              MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                              SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                              SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                              SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):270198
                                                                                                              Entropy (8bit):5.073814698282113
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                              MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                              SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                              SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                              SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):217137
                                                                                                              Entropy (8bit):5.068335381017074
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                              MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                              SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                              SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                              SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254875
                                                                                                              Entropy (8bit):5.003842588822783
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                              MD5:377B3E355414466F3E3861BCE1844976
                                                                                                              SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                              SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                              SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):344303
                                                                                                              Entropy (8bit):5.023195898304535
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                              MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                              SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                              SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                              SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):250983
                                                                                                              Entropy (8bit):5.057714239438731
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                              MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                              SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                              SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                              SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):51826
                                                                                                              Entropy (8bit):5.541375256745271
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                              MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                              SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                              SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                              SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):47296
                                                                                                              Entropy (8bit):6.42327948041841
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                              MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                              SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                              SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                              SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                              Malicious:false
                                                                                                              Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):34415
                                                                                                              Entropy (8bit):7.352974342178997
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                              MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                              SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                              SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                              SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3465076
                                                                                                              Entropy (8bit):7.898517227646252
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                              MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                              SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                              SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                              SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                              Malicious:false
                                                                                                              Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ABG42LV2B96XQKVW5DP.temp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12
                                                                                                              Entropy (8bit):0.41381685030363374
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:/l:
                                                                                                              MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                              SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                              SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                              SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                              Malicious:false
                                                                                                              Preview:............

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HNWZICF5PY72W3FNQRC8.temp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12
                                                                                                              Entropy (8bit):0.41381685030363374
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:/l:
                                                                                                              MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                              SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                              SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                              SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                              Malicious:false
                                                                                                              Preview:............

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12
                                                                                                              Entropy (8bit):0.41381685030363374
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:/l:
                                                                                                              MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                              SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                              SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                              SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                              Malicious:false
                                                                                                              Preview:............

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2d622.TMP (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12
                                                                                                              Entropy (8bit):0.41381685030363374
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:/l:
                                                                                                              MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                              SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                              SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                              SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                              Malicious:false
                                                                                                              Preview:............

                                                                                                              C:\Windows\Installer\3c2b90.msi

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26864640
                                                                                                              Entropy (8bit):7.924911310016854
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                              MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                              SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                              SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                              SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                              C:\Windows\Installer\3c2b93.msi

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26864640
                                                                                                              Entropy (8bit):7.924911310016854
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                              MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                              SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                              SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                              SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                              C:\Windows\Installer\MSI3053.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):169896
                                                                                                              Entropy (8bit):6.068969720857241
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:jqSoP/44Yvge5XKhpKJJdu+ew+BZPHbN2e9n2p+:j5g/ve5XKhMVJSIun6+
                                                                                                              MD5:B5ADF92090930E725510E2AAFE97434F
                                                                                                              SHA1:EB9AFF632E16FCB0459554979D3562DCF5652E21
                                                                                                              SHA-256:1F6F0D9F136BC170CFBC48A1015113947087AC27AED1E3E91673FFC91B9F390B
                                                                                                              SHA-512:1076165011E20C2686FB6F84A47C31DA939FA445D9334BE44BDAA515C9269499BD70F83EB5FCFA6F34CF7A707A828FF1B192EC21245EE61817F06A66E74FF509
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L.....,a...........!.....p...$......................................................U..................................m............`..p............x.......p..........................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\MSI31DA.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1447471
                                                                                                              Entropy (8bit):4.9359290577138335
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:2MMMMMMSLLLLLLLFMMMMMMSLLLLLLLsMMMMMMSLLLLLLLi:2MMMMMMSLLLLLLLFMMMMMMSLLLLLLLsb
                                                                                                              MD5:A3DE4E425C8D91DBC0DF62FDAF41DE92
                                                                                                              SHA1:8B5D09E89D06AAEECEDF1AB71D1958F9C7822E4F
                                                                                                              SHA-256:EC2CF0D66E92D5DB546A56016FA36A031CBB3FCE7E411590A81D0FF934F8AE10
                                                                                                              SHA-512:D280C8F41D86CF8782B47EAE23D7E7097F4926B8C017619267E3C891FF1827EC98672F980FFC78E0184DF2378602C285AD4D0A3775F9B266660A9B6911613410
                                                                                                              Malicious:false
                                                                                                              Preview:...@IXOS.@.....@U..Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.]....@.......@........ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2....@.....@.....@.]....&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}8.C:\Program Files (x86)\Remote Manipulator System - Host\.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}...@.......@.....@.....@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}...@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}D.C:\Program Files (x86)\Remote Manip

                                                                                                              C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20480
                                                                                                              Entropy (8bit):1.161373901427909
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:JSbX72FjUlAGiLIlHVRpzh/7777777777777777777777777vDHF5t07x6uPp01z:JwQI53vt016uy8F
                                                                                                              MD5:D57527B0B0A77CC4C61D5BD585C4F90E
                                                                                                              SHA1:99D603BD2C66F5C347161CA52EDEE3F24E98D242
                                                                                                              SHA-256:8C155F1B59CE92F5CF2113B4E8A8877E512051DD0FD0997A28193E3E1CBA96D6
                                                                                                              SHA-512:F72801C06D6896FE710EE9978E498354BC724A68F5F2C80F2C78179EC4D1E4BFA36A72C54A5FD9388D32CE37458FD29B26F9641C573A63ACEA34223418186E42
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20480
                                                                                                              Entropy (8bit):1.923650457531865
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:Dr8PhhuRc06WXOcFT5vUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:+hh1aFTZUUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:B787570A79D27186482D199BD3A2601C
                                                                                                              SHA1:CD45074BD7EC1C282999A842AD56D20238C349E1
                                                                                                              SHA-256:E3D71261F200C0B83E74BA58360731866FD88D0847C421D3706427A8E76C2799
                                                                                                              SHA-512:831061CFA3661F9F5B4C248E49E3F93DCD545E7FEF2395EB03F042BFE7333FDBF59EB264D43EFE75295493D09FC6EC27199F0A97BCC8EA38F1ABB35E477F27D0
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):79000
                                                                                                              Entropy (8bit):5.817675016279098
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:/MAyYdTmPJbgqcnDckJ42T1IPAMxkEo2T1OtoAMxkEbK:/1U81ckJ52xVPxnK
                                                                                                              MD5:E8CBBBE641AA6205C0E028CE7DC72CFE
                                                                                                              SHA1:E845FB6044E5F611F4F990B76AA4762FAB6E96C9
                                                                                                              SHA-256:61481606FE3FF53C9483586B4A95181D96F5679667ACCD582166069B10233D77
                                                                                                              SHA-512:D12E6BBA83F1B41BB2B937B315C5CDD3ADFA60C318AD1E958D99251822810739D2C6EC75B664BBC3116B0CDBBBFA4BEBA234B8C604F303391E21CDA0C24767E5
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.........................................................................4T..(.......t0...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...t0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):70808
                                                                                                              Entropy (8bit):5.60723121147002
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:RdMAyYdTmPJbgqcnDc/soJP2T1qAMxkEvQ2T1h8uAMxkE4:/1U81cLJOGxF/hxM
                                                                                                              MD5:F0F36966AD2B91DBE0C8B9D4E0A1AB0E
                                                                                                              SHA1:B7787445DDD42A3B4753AFC0B02B270DDC1693FC
                                                                                                              SHA-256:BE3C9594F315F2CE2698DFF54F7B41F012B25BF208DD88CEA7AC92936EC84AE9
                                                                                                              SHA-512:B178A35B3F0A3CA67D632901C1F0AF309F51267DFA827AE029475C63BCF2BA51694C717C94989D7E457E915DAE74B43C3C6B405113249A7B1FF0E9BAE67E0949
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...`...............P....@.........................................................................4T..(.......\................d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...\........ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):423064
                                                                                                              Entropy (8bit):4.6899574334599645
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:c1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLL+:UjcT6uuuutMMMMMMSLLLLLLLeYTZg
                                                                                                              MD5:6A9AA00C428A946F9A5C5546A458ECA0
                                                                                                              SHA1:06A70B197DEE2FC106576C6719CFF046D2747396
                                                                                                              SHA-256:16601981E37F2FE16B8E0EA4626ABF57013458B63D1A71C8FA3B5080F3C191F5
                                                                                                              SHA-512:EADDEE089D18ED744BB1DCAAA98A8F6E201022432C55D037D2A7EF994532197EF595E44DEEF9DB0CFAE8ACA50F4AB90CEEDB49F8E920E6B4FAF6C60B6EFEDD51
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................v.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):423064
                                                                                                              Entropy (8bit):4.690218208041496
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:R1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLe:DjcT6uuuutMMMMMMSLLLLLLLeYuGVk
                                                                                                              MD5:AB85C5EEAD096C4E5D0A2914C24F59B2
                                                                                                              SHA1:E189F9BA583B0A4EEE1C817C9DA8A5D72A038A83
                                                                                                              SHA-256:F4F656CC3CD99ABC4CFC1A70BD77C52E36D59852987BE530E131CEF8238F4BA7
                                                                                                              SHA-512:E70ACF9FCA9F0378FAC97421550984FF166D8D1D83F423400B108E804CA876EA6D7517398637D64C34CC0E46C14048BB9F50C8268D993FA983DB6B0E44A9C352
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................>.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):423064
                                                                                                              Entropy (8bit):4.690232052098797
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:o1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLU:IjcT6uuuutMMMMMMSLLLLLLLeYFuv
                                                                                                              MD5:03A18CE97AA1C45D834524B8A408BC17
                                                                                                              SHA1:72ABD8B4AC974928684B6D089F8573C70D431808
                                                                                                              SHA-256:0ACFCA29B6128E0161B4E6D93FFF7686A96128016846625763DAB7F9CE059DEF
                                                                                                              SHA-512:2A2DC903E4179EC83BB4FA557FFCCE8BA3D8FC175E9C817D34BA186704ECF06A281D96D35B12B8D54FE35683030942FDC9A3A1FDFDBEAA755A60436F3C7B3483
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@........................................................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):432221
                                                                                                              Entropy (8bit):5.375175310962875
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauQ:zTtbmkExhMJCIpEr5
                                                                                                              MD5:CF5F9348B6C0C4325B69325EEBBDB972
                                                                                                              SHA1:290F98E0F235EBE44D1400136845D3436864F2FB
                                                                                                              SHA-256:E0DCF2801CBB00232B1862D9AF7389C3CD3CE6253CB419B280D71147C24FCAD9
                                                                                                              SHA-512:1C318FC10BF41073A02A2BED6FD5CB820E2B8A442DFF82C620EC1296E6DA641276B886FA7933BC31E5F5CD36130D6C7D7F0318F62BFC62FD773FAFB580A2A8C4
                                                                                                              Malicious:false
                                                                                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:JSON data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):55
                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                              Malicious:false
                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1712
                                                                                                              Entropy (8bit):7.600066630143131
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Vk1IBjhQbwTcjgArtuFPSGBAS7jF78oekZdCrphruWeI8h6FfymkBZGfKkamo3zK:3QbwDj9BdCusxIsfLamo3T6
                                                                                                              MD5:8FB130F5B59F5762C3725C5EDA4FEF8C
                                                                                                              SHA1:71335C56C7427E97B42F31AD741EA3D0DF29FC5B
                                                                                                              SHA-256:5548A1E83E868D3D6F20C135864757DD962C2BE4B4697C3DD273BFE90E318071
                                                                                                              SHA-512:3BDD74D0C6097BE27C3807E914AF80B07747F1A73C8553AAFC2409ADD4EBB32B48774002597E7F0F1CD693E24859DA35F68DE5800554D08A4018CE74EC41563D
                                                                                                              Malicious:false
                                                                                                              Preview:0..........0.....+.....0......0...0..........j.....*.t......*..20241203060259Z0s0q0I0...+..............B..M.%..Dg..5 .....F...x9...C.VP..;..w.......T..r...G....20241203060259Z....20241207060258Z0...*.H.............+.,T....5...0."(....&.+v..^x~C.j.x..en..;..G.....F.gl.^(...j"T......~.XXz...!~.fch8..L.0.......p..[...w.i..m...@....._.g......h...UU.p\o..o.P.Vb.hx....9.u...k.|:.]...CF.....?.<"...iC.<K)P.IC..E.^...p$2>`....}....{....f$T.5.. ...o...?].t...I....0...0...0............|.w.7@$.L.!...0...*.H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...240717031756Z..250215000000Z0g1.0...U....BE1.0...U....GlobalSign nv-sa1=0;..U...4GlobalSign Code Signing Root R45 - OCSP 1.2 202411070.."0...*.H.............0............U...;..pc+..o.K..0...6.'...F.C..}.....%E..F.q.-\.u{..$.....#8.,{...^OEQ..P..~ZU..f.0........Ky+..(..q.............sy...e.0...Z.]X1.A....z.....g.p.{.~,u.0R..f.SOx".Q_.{......`T.&[&2..P|.......h.Z(A;.3.]$...k`.

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1680
                                                                                                              Entropy (8bit):7.609103808405835
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:+sR2QSKyg2G237nIxCw5DgSUnpU446J8WpNTE:F9Z2N37n4Cw5MSiw6mOTE
                                                                                                              MD5:9B7CEE7FC2507E7B498924A5DD1F64B7
                                                                                                              SHA1:703360D20DC050704F9E518722F1EB59E07D237F
                                                                                                              SHA-256:406E6229A2C02CEA8A1314AB7D8437BBFA0341CE545E196B28F9A2990252ABBD
                                                                                                              SHA-512:9C20F9FFE6EF56534678A3FB7CC3882602FF772BA893279437D32026AAACC83F8F7EA442C9D438593DA21AFAFF640903ECA604BEE302C5CB2A7ED7841D504CB0
                                                                                                              Malicious:false
                                                                                                              Preview:0..........0.....+.....0.....r0..n0............`...H,.&...=...20241203052001Z0o0m0E0...+...........r...nK..._..[.Q.....$..kw...Y.!gdv.x..vF...M...k3....20241203052001Z....20241207052000Z0...*.H................ih..]."...h.vc..]f.......M=|..Z./.......`.....I...:.AP&.%.rn..6"..Z...7UD,...D.N.W.!..K..B.B;.!.....j...Z....\......C.L>..N...-.y.xM....%...)...p...?o.,.....@U..Q...G......... ...u*.pQZ...y<$Q..9....-.y.Rr.%....V..}...!N.?..s.z.X..>D/...F...l....0...0...0..........f3...z.....0...*.H........0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign GCC R45 CodeSigning CA 20200...240920234113Z..241221234112Z0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'gsgccr45codesignca2020CA OCSP Responder0.."0...*.H.............0.........+..6b.I...$...f.C.K?}.s...r;.y.m,]q.....@.N.2..x.F5Y........%.).....>.yH.....*.\.9.<..ns..,..jQ.....~..V.N..Y.........8.a..Rg..A3....[.p<......by..Y.y...9....7%.%.i$..I..T~........2i....R..rW..~.!..e...;....\.9;<L.._..I.Fe.

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1435
                                                                                                              Entropy (8bit):7.512146146896367
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:qnjIZwv6A6lPxYYsLLeggpNORwfF7YpQfvmE1yPq8hruWa2tHP+HLuuDXXWLaH:Nuv6rpeY2epORK9q3nPq4uRY4LuubXv
                                                                                                              MD5:202BEE7796FAD3E0BD2EAC1EC2626DE8
                                                                                                              SHA1:016F6CBA78AE2767B0BAA65122ED510EA8BAB907
                                                                                                              SHA-256:04AA0DD38E6549F10CA7D666BF0E52B077DA3DB81BFE4379582A586998263F75
                                                                                                              SHA-512:CDC1B23ABD9A4525AEFE4C5EF48173626493B5F8B978523809E6A35C1B47E1F69DDA829BC1EC4D55CA17F6DDE5BD47B4CBDC77575844C219EF1B54C94FF82188
                                                                                                              Malicious:false
                                                                                                              Preview:0..........0.....+.....0.....}0..y0......$L..|6..h(4.]........20241203065702Z0s0q0I0...+..........h.$..*y.u.3.V..G.....K...E$.MP.c.........x..BEp.A.o...T....20241203065702Z....20241207065701Z0...*.H.............i...g.^'y.....p.....\."z)<....K5.K.lA..SP(0B?...R.%.\....@.3IrE.._+.....4.u_...}..... ....C8...G@-.....h.*Z....LM.p.f...y7.g*h{.....R]`....6.>.t...x...8.tu].A........P...&F..W;.d.`.w......R@.5.I[.L..'x.`...=A.....P(y..T.j..)K^..,kP[eI...^.'.6.{....0...0...0............|.X........-..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...240717031720Z..250215000000Z0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign Root R3 - OCSP 1.2 202411070.."0...*.H.............0..........U\m..$*.o@E.<.c.*.).S..L...HN.<W|.F .........h...zo..vk..%M.".j.P..U!/..v.Th.R..(.i..$P....^l..@qe....q.l..6....cB.:.;.KU......J..*>.....$..(.h J.6;.....N..(r).i.*...o.<-..c..2.]<.7r.../.Ni..}q...8B.LT./'...=b.>....C........"..

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):532
                                                                                                              Entropy (8bit):4.029475297264721
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:znz1fDWzJqe3KQj22iv8sFF1gUeMalCrlQNlVgfMGSzlK1uP:Tz1fDgJRjYvP+U7uCKlCMtJI2
                                                                                                              MD5:113E088DB8288D981EF6D6F8315E19C1
                                                                                                              SHA1:442E00B72AF7B400C5049DE4E32D3F462C91B434
                                                                                                              SHA-256:E3E886384490B676A8CA4B81732DBEF6F76F25BFCD21CE62F8A334D1527A24D1
                                                                                                              SHA-512:63E4E8F75B5D4EE8DC3E2B1B88E2F17F721689F1B74989996701D30D81F60BF2DBFAEEF1A1539E89C28341D425954FDFC6C431E8D9641A95A4917F5526B6B370
                                                                                                              Malicious:false
                                                                                                              Preview:p...... ....J....:T:YE..(................+..IE......mH......................mH.. ........+..IE......V...............h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.V.F.Z.P.5.v.q.h.C.r.t.R.N.5.S.W.f.4.0.R.n.6.N.M.1.I.A.Q.U.H.w.C.%.2.F.R.o.A.K.%.2.F.H.g.5.t.6.W.0.Q.9.l.W.U.L.v.O.l.j.s.C.E.H.e.9.D.g.O.h.t.w.j.4.V.K.s.G.c.h.D.Z.B.E.c.%.3.D...".7.1.3.3.5.c.5.6.c.7.4.2.7.e.9.7.b.4.2.f.3.1.a.d.7.4.1.e.a.3.d.0.d.f.2.9.f.c.5.b."...

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):544
                                                                                                              Entropy (8bit):3.879515564289567
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:alOtpCW8gzpDWzf79bLgLzK8sFAY6ealztksMGH4Z+h:7p3zpDgz9YLmvqY6mIh
                                                                                                              MD5:EEE67ECF8B5EDF29DC840A0CA1687F51
                                                                                                              SHA1:744FCD3BC5277C4BBE4B2C1EA28A41C1EDA0B681
                                                                                                              SHA-256:5F44F6ACCC60AE8713A577491E7648696E3D5984C7EFD2967C35B0F9C6B52D4A
                                                                                                              SHA-512:8633045AB76131E58B8E0E9866A2511BA1924B02AF8867246DFC190EB7EFD228FDBCD7F6BD470DA7BA681B6FD2FCF8480BA5C1E6FE55D1BEB5BE2319E135CBC5
                                                                                                              Malicious:false
                                                                                                              Preview:p...... ....V......:YE..(.................o.CE....~.gH....................~.gH.. .........o.CE......V....:..........h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.g.s.g.c.c.r.4.5.c.o.d.e.s.i.g.n.c.a.2.0.2.0./.M.E.0.w.S.z.B.J.M.E.c.w.R.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.L.u.A.3.y.g.n.K.W.%.2.F.7.x.u.S.x.%.2.F.0.9.F.%.2.B.h.H.V.u.E.U.Q.Q.U.2.r.O.N.w.C.S.Q.o.2.t.3.0.w.y.g.W.d.0.h.Z.2.R.2.C.3.g.C.D.H.Z.G.D.p.D.i.h.E.2.3.%.2.B.Y.N.r.M.w.%.3.D.%.3.D...".7.0.3.3.6.0.d.2.0.d.c.0.5.0.7.0.4.f.9.e.5.1.8.7.2.2.f.1.e.b.5.9.e.0.7.d.2.3.7.f."...

                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):508
                                                                                                              Entropy (8bit):4.019471982195225
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:Nbt5G+zbgDWzFU8iv8sFt4QAfROA/pUL3oT4SHEm:Fr3zcDgFUhv/ofROS6L8Em
                                                                                                              MD5:E7FB970B19E532E1864A1ECBA5E261C6
                                                                                                              SHA1:ABAB77A006227447773C96B7EE8A32B9D01207DA
                                                                                                              SHA-256:DCE4217481531FEC059F2100CA404F4AD0BA75EA02F3AF3D032688824633D6FC
                                                                                                              SHA-512:DCA8B39EC584D227BC31D1CEABB2394DE97E7A8D293A9A40F7AD5464CDDDAC4FE0FF15B3DF4E99D19CB1B2D2047AB71E7BB3A8FCF198BF57E1A90F73E40FEF83
                                                                                                              Malicious:false
                                                                                                              Preview:p...... ....2....d.:YE..(...................PE.....7uH.....................7uH.. ...........PE......V...............h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.r.o.o.t.r.3./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.1.n.G.h.%.2.F.J.B.j.W.K.n.k.P.d.Z.I.z.B.1.b.q.h.e.l.H.B.w.Q.U.j.%.2.F.B.L.f.6.g.u.R.S.S.u.T.V.D.6.Y.5.q.L.3.u.L.d.G.7.w.C.E.H.g.D.G.E.J.F.c.I.p.B.z.2.8.B.u.O.6.0.q.V.Q.%.3.D...".0.1.6.f.6.c.b.a.7.8.a.e.2.7.6.7.b.0.b.a.a.6.5.1.2.2.e.d.5.1.0.e.a.8.b.a.b.9.0.7."...

                                                                                                              C:\Windows\Temp\~DF157EA61B159E2FA0.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20480
                                                                                                              Entropy (8bit):1.923650457531865
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:Dr8PhhuRc06WXOcFT5vUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:+hh1aFTZUUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:B787570A79D27186482D199BD3A2601C
                                                                                                              SHA1:CD45074BD7EC1C282999A842AD56D20238C349E1
                                                                                                              SHA-256:E3D71261F200C0B83E74BA58360731866FD88D0847C421D3706427A8E76C2799
                                                                                                              SHA-512:831061CFA3661F9F5B4C248E49E3F93DCD545E7FEF2395EB03F042BFE7333FDBF59EB264D43EFE75295493D09FC6EC27199F0A97BCC8EA38F1ABB35E477F27D0
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF20D9006ED9A458F1.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):512
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                              Malicious:false
                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF28688BB4841DED0C.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32768
                                                                                                              Entropy (8bit):1.5174651351014843
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:IwZuUPvcFXORT5XUkyeUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:hZ+MTZt1UUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:17684F13E337752476A76E308BD51AB4
                                                                                                              SHA1:CCC97C7FEB02A4739EB3C19F56F97BB1627EE9EF
                                                                                                              SHA-256:BD1FC8D386C72E1D0B1532F2B9F12D04585AE4693FFDED35411DDA8CDF471A79
                                                                                                              SHA-512:A0B25581D81358E1EE07BB8DCEB744313ECA49CA81D8157C7DECD3D764E0E044B51D032CF46843848D278CEFA5A3BB298A062FB57E4EC74FF4013CADDB6E3708
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF3599498361F0171D.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):512
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                              Malicious:false
                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF5B12386950A89C61.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):512
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                              Malicious:false
                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF64FBDC7A7C0C60AC.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32768
                                                                                                              Entropy (8bit):0.06843743119485104
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOZft07x6qkWrkoVky6l0t/:2F0i8n0itFzDHF5t07x6uC01
                                                                                                              MD5:B23A8F32998499DA774A3479193D91FB
                                                                                                              SHA1:0FE95AAD29FA238A9488C7C9BF7E1E265A18497B
                                                                                                              SHA-256:3272D0750CE59B4FF12F23F507659A50D8EC4C4562130BD41A529780E660C33D
                                                                                                              SHA-512:DBF24A27950DB9528F76E5FCD10F74518083DBBEBB583EA4CDD4295B3122B16640F7AA9C5E3D27DF38E2B0B40E89FF575FA3BBAF249FC0DBB25A4CAA9F7FB30E
                                                                                                              Malicious:false
                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF6E713CEAD42946AC.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20480
                                                                                                              Entropy (8bit):1.923650457531865
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:Dr8PhhuRc06WXOcFT5vUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:+hh1aFTZUUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:B787570A79D27186482D199BD3A2601C
                                                                                                              SHA1:CD45074BD7EC1C282999A842AD56D20238C349E1
                                                                                                              SHA-256:E3D71261F200C0B83E74BA58360731866FD88D0847C421D3706427A8E76C2799
                                                                                                              SHA-512:831061CFA3661F9F5B4C248E49E3F93DCD545E7FEF2395EB03F042BFE7333FDBF59EB264D43EFE75295493D09FC6EC27199F0A97BCC8EA38F1ABB35E477F27D0
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF7614BE98FC077CCE.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32768
                                                                                                              Entropy (8bit):1.5174651351014843
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:IwZuUPvcFXORT5XUkyeUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:hZ+MTZt1UUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:17684F13E337752476A76E308BD51AB4
                                                                                                              SHA1:CCC97C7FEB02A4739EB3C19F56F97BB1627EE9EF
                                                                                                              SHA-256:BD1FC8D386C72E1D0B1532F2B9F12D04585AE4693FFDED35411DDA8CDF471A79
                                                                                                              SHA-512:A0B25581D81358E1EE07BB8DCEB744313ECA49CA81D8157C7DECD3D764E0E044B51D032CF46843848D278CEFA5A3BB298A062FB57E4EC74FF4013CADDB6E3708
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF829F07718188B98A.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32768
                                                                                                              Entropy (8bit):1.5174651351014843
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:IwZuUPvcFXORT5XUkyeUSKdgfdguOdghRXdgkdgpdgKdgt6AdgNi2SBwdgfdguOo:hZ+MTZt1UUGkOzs9t4pqvGkOzs9Hf
                                                                                                              MD5:17684F13E337752476A76E308BD51AB4
                                                                                                              SHA1:CCC97C7FEB02A4739EB3C19F56F97BB1627EE9EF
                                                                                                              SHA-256:BD1FC8D386C72E1D0B1532F2B9F12D04585AE4693FFDED35411DDA8CDF471A79
                                                                                                              SHA-512:A0B25581D81358E1EE07BB8DCEB744313ECA49CA81D8157C7DECD3D764E0E044B51D032CF46843848D278CEFA5A3BB298A062FB57E4EC74FF4013CADDB6E3708
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DF90FDFD90CAD75E01.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):73728
                                                                                                              Entropy (8bit):0.27579776074621326
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:2IOYXSBwdgfdguOdghRXdgkdgpdgKdg4SKdgfdguOdghRXdgkdgpdgKdgt6AdgNC:HOGqvGkOzs94UGkOzs9t4g
                                                                                                              MD5:FF63742A61206C5577607E5A95ED588F
                                                                                                              SHA1:FCC5CBE805D026EB89A9D1DE039411E39FE9EF9E
                                                                                                              SHA-256:B62F19CD0670FE051D8E2256FF47819D0631A8B1F4BA269FC441D4181C7B2AB9
                                                                                                              SHA-512:615F177DAB6BA848706EB1647494F01CEFF1FA4D68E779C31FB221FDCFC3F8A20294B631305E0F390BD7AB04BA8250A56B6B131902FF66E587BB25B187149760
                                                                                                              Malicious:false
                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DFC4B1C00A439628CB.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):512
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                              Malicious:false
                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\Temp\~DFDCA13FF7E1E05E37.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):512
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3::
                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                              Malicious:false
                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\intel\Doc.docx

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                              File Type:Microsoft Word 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):230038
                                                                                                              Entropy (8bit):7.636957641054668
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:nzyKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGVVu:nzyKKhEKBSf/vv8vyNjz9oltkyYzcZ
                                                                                                              MD5:773D2787D661474A840B907C8A22D4E9
                                                                                                              SHA1:A6A0E3C4AB4063BC74C65D6EC0CB43B67F1D767F
                                                                                                              SHA-256:BA82FE356B21118D92B04A74EF8466A59F4802FD9B061F6E9A28E16CF7A5A8B3
                                                                                                              SHA-512:7EC868F9B7B47A757BBB5ABF5639F97C47D79AC55DD07954F3EEE93384B555F7C4C817B687C8C486DC97F4174A8CC04DEED342E8ADD6EA2EDB5EE381FC612BEA
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........!..A..f...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E........tQUUH.},.HM?...../....;@..(..I6H0s.=.xF..V..|...d..H..[!M....[.H....LY.9.B ....h.u..T...E......Y.....z."...:..X..~0x...&... ....l.b.......$.Mc....+..@.j<.p.a.).Y.:].q@..2T.=a!].........}...R@2e>.3.]tm....Fev....-...Wn.[.!.w.*k+.I.....q. \.....Qp...s/...W..c..R`...\....xj.....mNEb..[.p.....?..:...(O.um"Z.=.T.@.8.M.8........PK..........!.........N......._rels/.rels ...(...........................

                                                                                                              C:\intel\Word.msi

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26864640
                                                                                                              Entropy (8bit):7.924911310016854
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                              MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                              SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                              SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                              SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                              C:\intel\~$Doc.docx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):162
                                                                                                              Entropy (8bit):4.717661560909372
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:t4qKF0n4ejBl4XRre0HmzFDkfUnYaL9q:JK+4ejBlYRreAm9kdaw
                                                                                                              MD5:6A3271C6232540F9D92EDA49EE371510
                                                                                                              SHA1:010073CEE7CBA8FDD39641A52719DB483B1328DB
                                                                                                              SHA-256:EBCF7A361BFFD5BEFFAFDCAF9E5B9C61016291B950602FF48AEBA4C1137825E6
                                                                                                              SHA-512:64A173BE765C9F04B26F5041D5DFDCED9ABD3B9150F4269ED18E4D4B1CED156E7E5D450E57147D8DAEA4864682A5836231DDE683DBF2F621D90E3FFDB57DA148
                                                                                                              Malicious:false
                                                                                                              Preview:..........................................................m......6..o......Y]lW..R.KIY..R.+k.m.Yv2.}...Ou{=.W.^m.7E}'...C..EYE......q..;|...}.j.....Z...=fj

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                              Entropy (8bit):7.998140922332344
                                                                                                              TrID:
                                                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:442.docx.exe
                                                                                                              File size:25'141'051 bytes
                                                                                                              MD5:fb8117b1a3f0924100fbc209dbbb1bb1
                                                                                                              SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
                                                                                                              SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
                                                                                                              SHA512:fcaba4304f26eefa476202e17ca85c3f994d2086f78fa86f1d73f7d6c926825a4ac3b02ceae2d8cde3583f02fdbf87139741035368f6d4b77c4f8c790df330fd
                                                                                                              SSDEEP:393216:bnD8YsCFVxnq/mIhNAl2543UCCCQrTTNi5NRmclImNm/U29ieL:bgYlFV8/1AbOrXNihH29LL
                                                                                                              TLSH:14473325EE400AB1E2FAD47098159413D63C3C5DC228B2A722F997287FF7B755B67388
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                                              File Icon

                                                                                                              Icon Hash:0b03084c4e4e0383

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x140032ee0
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x140000000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:5
                                                                                                              OS Version Minor:2
                                                                                                              File Version Major:5
                                                                                                              File Version Minor:2
                                                                                                              Subsystem Version Major:5
                                                                                                              Subsystem Version Minor:2
                                                                                                              Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              dec eax
                                                                                                              sub esp, 28h
                                                                                                              call 00007FE9C0E53668h
                                                                                                              dec eax
                                                                                                              add esp, 28h
                                                                                                              jmp 00007FE9C0E52FFFh
                                                                                                              int3
                                                                                                              int3
                                                                                                              dec eax
                                                                                                              mov eax, esp
                                                                                                              dec eax
                                                                                                              mov dword ptr [eax+08h], ebx
                                                                                                              dec eax
                                                                                                              mov dword ptr [eax+10h], ebp
                                                                                                              dec eax
                                                                                                              mov dword ptr [eax+18h], esi
                                                                                                              dec eax
                                                                                                              mov dword ptr [eax+20h], edi
                                                                                                              inc ecx
                                                                                                              push esi
                                                                                                              dec eax
                                                                                                              sub esp, 20h
                                                                                                              dec ebp
                                                                                                              mov edx, dword ptr [ecx+38h]
                                                                                                              dec eax
                                                                                                              mov esi, edx
                                                                                                              dec ebp
                                                                                                              mov esi, eax
                                                                                                              dec eax
                                                                                                              mov ebp, ecx
                                                                                                              dec ecx
                                                                                                              mov edx, ecx
                                                                                                              dec eax
                                                                                                              mov ecx, esi
                                                                                                              dec ecx
                                                                                                              mov edi, ecx
                                                                                                              inc ecx
                                                                                                              mov ebx, dword ptr [edx]
                                                                                                              dec eax
                                                                                                              shl ebx, 04h
                                                                                                              dec ecx
                                                                                                              add ebx, edx
                                                                                                              dec esp
                                                                                                              lea eax, dword ptr [ebx+04h]
                                                                                                              call 00007FE9C0E52483h
                                                                                                              mov eax, dword ptr [ebp+04h]
                                                                                                              and al, 66h
                                                                                                              neg al
                                                                                                              mov eax, 00000001h
                                                                                                              sbb edx, edx
                                                                                                              neg edx
                                                                                                              add edx, eax
                                                                                                              test dword ptr [ebx+04h], edx
                                                                                                              je 00007FE9C0E53193h
                                                                                                              dec esp
                                                                                                              mov ecx, edi
                                                                                                              dec ebp
                                                                                                              mov eax, esi
                                                                                                              dec eax
                                                                                                              mov edx, esi
                                                                                                              dec eax
                                                                                                              mov ecx, ebp
                                                                                                              call 00007FE9C0E551A7h
                                                                                                              dec eax
                                                                                                              mov ebx, dword ptr [esp+30h]
                                                                                                              dec eax
                                                                                                              mov ebp, dword ptr [esp+38h]
                                                                                                              dec eax
                                                                                                              mov esi, dword ptr [esp+40h]
                                                                                                              dec eax
                                                                                                              mov edi, dword ptr [esp+48h]
                                                                                                              dec eax
                                                                                                              add esp, 20h
                                                                                                              inc ecx
                                                                                                              pop esi
                                                                                                              ret
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              dec eax
                                                                                                              sub esp, 48h
                                                                                                              dec eax
                                                                                                              lea ecx, dword ptr [esp+20h]
                                                                                                              call 00007FE9C0E41A13h
                                                                                                              dec eax
                                                                                                              lea edx, dword ptr [00025747h]
                                                                                                              dec eax
                                                                                                              lea ecx, dword ptr [esp+20h]
                                                                                                              call 00007FE9C0E54262h
                                                                                                              int3
                                                                                                              jmp 00007FE9C0E5A444h
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3

                                                                                                              Rich Headers

                                                                                                              Programming Language:
                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                              • [IMP] VS2008 SP1 build 30729

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x1558c.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x970.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x700000x1558c0x1560050f0a4d841d0856138dbb9d7187108bfFalse0.1905953033625731data5.443581422941128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x860000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              PNG0x705540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                                              PNG0x7109c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                                              RT_ICON0x726480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m0.06374955637051934
                                                                                                              RT_DIALOG0x82e700x2badata0.5286532951289399
                                                                                                              RT_DIALOG0x8312c0x13adata0.6560509554140127
                                                                                                              RT_DIALOG0x832680xf2data0.71900826446281
                                                                                                              RT_DIALOG0x8335c0x14adata0.6
                                                                                                              RT_DIALOG0x834a80x314data0.47588832487309646
                                                                                                              RT_DIALOG0x837bc0x24adata0.6279863481228669
                                                                                                              RT_STRING0x83a080x1fcdata0.421259842519685
                                                                                                              RT_STRING0x83c040x246data0.41924398625429554
                                                                                                              RT_STRING0x83e4c0x1a6data0.514218009478673
                                                                                                              RT_STRING0x83ff40xdcdata0.65
                                                                                                              RT_STRING0x840d00x470data0.3873239436619718
                                                                                                              RT_STRING0x845400x164data0.5056179775280899
                                                                                                              RT_STRING0x846a40x110data0.5772058823529411
                                                                                                              RT_STRING0x847b40x158data0.4563953488372093
                                                                                                              RT_STRING0x8490c0xe8data0.5948275862068966
                                                                                                              RT_STRING0x849f40x1c6data0.5242290748898678
                                                                                                              RT_STRING0x84bbc0x268data0.4837662337662338
                                                                                                              RT_GROUP_ICON0x84e240x14data1.15
                                                                                                              RT_MANIFEST0x84e380x753XML 1.0 document, ASCII text, with CRLF line terminators0.39786666666666665

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                                              OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                              gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-03T09:00:05.231772+01002849354ETPRO MALWARE Remote Admin Backdoor Related Activity1192.168.2.449874111.90.147.12580TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 3, 2024 08:59:10.301979065 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:10.422847033 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:10.422976971 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:10.437175035 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:10.437225103 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:10.557334900 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:10.557349920 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:10.557368994 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:13.445419073 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:13.499149084 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:13.629446983 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:13.749840975 CET56554980895.213.205.83192.168.2.4
                                                                                                              Dec 3, 2024 08:59:13.750015974 CET498085655192.168.2.495.213.205.83
                                                                                                              Dec 3, 2024 08:59:13.938900948 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 08:59:14.059129000 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 08:59:14.059214115 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 08:59:14.060105085 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 08:59:14.060133934 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 08:59:14.180190086 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 08:59:14.180206060 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 08:59:14.180226088 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 08:59:43.779681921 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 08:59:43.827410936 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 09:00:03.516463995 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.517344952 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.518137932 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.518829107 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.519726992 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.519759893 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.636400938 CET5555549869111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.637228012 CET565149870111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.637322903 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.637896061 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.637907982 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.637911081 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.637974024 CET46549871111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.637989044 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.637989044 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.638024092 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.638391972 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.638422966 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.638766050 CET80804987278.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.638931990 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.639389992 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.639415979 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.639671087 CET56514987378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.639712095 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.639790058 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.640391111 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.640391111 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.640410900 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:03.640439034 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.640464067 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:03.757843971 CET5555549869111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.757889986 CET5555549869111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.757900000 CET565149870111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.757909060 CET565149870111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.758297920 CET46549871111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.758330107 CET46549871111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.759361982 CET80804987278.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.759371996 CET80804987278.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.760343075 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.760360003 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.760368109 CET56514987378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:03.760375977 CET56514987378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.231409073 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.231710911 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:05.231734037 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:05.231740952 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:05.231762886 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:05.231771946 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:05.351727009 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.351736069 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.351744890 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.351787090 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:05.351797104 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:06.067918062 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:06.108716965 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:06.236949921 CET565149870111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:06.237055063 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:06.237087965 CET5555549869111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:06.237126112 CET498705651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:06.237142086 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:06.237196922 CET4986955555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:06.357013941 CET565149870111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:06.357059956 CET5555549869111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:07.071435928 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:07.126240969 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:08.087800980 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:08.139894962 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:09.102555990 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:09.155535936 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:10.117701054 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:10.171145916 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:11.133913040 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:11.186770916 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:12.156270981 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:12.202411890 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:13.164763927 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:13.218055010 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:14.233542919 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:14.280570030 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:14.323785067 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 09:00:14.374346972 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 09:00:15.198080063 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:15.249314070 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:16.211422920 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:16.264920950 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:17.212007046 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:17.264955997 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:18.229716063 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:18.280556917 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:18.627902031 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:18.632432938 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:18.640340090 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:18.789397001 CET80804987278.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:18.793356895 CET46549871111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:18.801419973 CET56514987378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:19.242973089 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:19.296185017 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:20.243308067 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:20.296179056 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:21.258311987 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:21.311872005 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:22.273948908 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:22.327426910 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:23.274409056 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:23.327439070 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:24.289674997 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:24.343197107 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:25.290096045 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:25.343079090 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:25.550432920 CET80804987278.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:25.550626993 CET498728080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:25.550715923 CET56514987378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:00:25.550766945 CET498735651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:00:25.567256927 CET46549871111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:25.567337990 CET49871465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:26.305634975 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:26.358758926 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:27.321026087 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:27.374365091 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:28.337670088 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:28.389961958 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:29.352334023 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:29.405589104 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:30.368542910 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:30.421210051 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:31.383896112 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:31.436830044 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:32.522397995 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:32.577459097 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:33.399602890 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:33.452613115 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:34.414923906 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:34.468091011 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:35.430478096 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:35.483854055 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:36.446176052 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:36.499452114 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:37.461719036 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:37.515063047 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:38.476980925 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:38.530586958 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:39.492949009 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:39.546329975 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:40.508446932 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:40.561856985 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:41.525248051 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:41.577487946 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:42.540806055 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:42.593198061 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:43.570858002 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:43.624422073 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:44.587079048 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:44.640026093 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:44.820097923 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 09:00:44.862093925 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 09:00:45.586707115 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:45.639996052 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:46.602340937 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:46.655643940 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:47.617897987 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:47.671226978 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:48.633831024 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:48.686878920 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:49.649194956 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:49.702573061 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:50.650155067 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:50.702507973 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:51.667279959 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:51.718167067 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:52.680609941 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:52.733746052 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:53.696150064 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:53.749389887 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:54.711993933 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:54.765062094 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:55.727521896 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:55.780620098 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:56.742933989 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:56.796390057 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:57.758866072 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:57.811888933 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:58.774281025 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:58.827511072 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:00:59.789686918 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:00:59.843251944 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:00.805775881 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:00.858762026 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:01.821095943 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:01.874423027 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:02.836867094 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:02.890022993 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.534677982 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.535819054 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.536712885 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.537008047 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.537245035 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.654623985 CET80805000378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.654726982 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.655463934 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.655507088 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.655771017 CET46550005111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.655839920 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.656287909 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.656322002 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.656649113 CET565150006111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.656742096 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.656851053 CET5555550007111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.656909943 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.657089949 CET56515000478.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.657141924 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.657474995 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.657500982 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.657540083 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.657556057 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:03.657804012 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.657825947 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:03.776884079 CET80805000378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.776896954 CET80805000378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.777618885 CET46550005111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.777626991 CET46550005111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778358936 CET565150006111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778413057 CET565150006111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778422117 CET5555550007111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778434992 CET5555550007111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778454065 CET56515000478.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.778461933 CET56515000478.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.852647066 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:03.905688047 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:04.867595911 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:04.921291113 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:05.883254051 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:05.936918974 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:06.290916920 CET565150006111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:06.291053057 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:06.291162968 CET500065651192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:06.322640896 CET5555550007111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:06.322731018 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:06.325416088 CET5000755555192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:06.414319992 CET565150006111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:06.446605921 CET5555550007111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:06.899029016 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:06.952611923 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:07.916594028 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:07.968195915 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:08.931000948 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:08.983876944 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:09.946068048 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:09.999424934 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:10.946588993 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:10.999404907 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:11.962331057 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:12.015057087 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:12.977622032 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:13.030684948 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:13.992959023 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:14.046304941 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:14.165277958 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 09:01:14.213428020 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 09:01:15.009916067 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:15.061920881 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:16.023808956 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:16.077558994 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:17.048954964 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:17.093239069 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:18.055700064 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:18.108825922 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:18.641071081 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:18.656634092 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:18.656634092 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:18.801496983 CET80805000378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:18.817508936 CET46550005111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:18.817562103 CET56515000478.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:19.071800947 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:19.124490976 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:20.086328030 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:20.140058994 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:21.102138042 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:21.155788898 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:22.118015051 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:22.171335936 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:23.133380890 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:23.186969042 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:24.133832932 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:24.187015057 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:25.150171041 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:25.202569962 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:25.567137957 CET80805000378.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:25.567284107 CET500038080192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:25.591912031 CET56515000478.138.9.142192.168.2.4
                                                                                                              Dec 3, 2024 09:01:25.591972113 CET500045651192.168.2.478.138.9.142
                                                                                                              Dec 3, 2024 09:01:25.598269939 CET46550005111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:25.598335981 CET50005465192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:26.164489985 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:26.218199015 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:27.180465937 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:27.233823061 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:28.195723057 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:28.249459028 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:29.212064981 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:29.265085936 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:30.220460892 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:30.265218019 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:31.227135897 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:31.281332970 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:32.242937088 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:32.296454906 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:33.258817911 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:33.311974049 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:34.273956060 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:34.327651024 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:35.293709993 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:35.343235970 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:36.305367947 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:36.358855009 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:37.321125984 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:37.374492884 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:38.336729050 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:38.390150070 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:39.352885008 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:39.405747890 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:40.368140936 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:40.421355009 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:40.880897999 CET56554980977.223.124.212192.168.2.4
                                                                                                              Dec 3, 2024 09:01:40.921488047 CET498095655192.168.2.477.223.124.212
                                                                                                              Dec 3, 2024 09:01:41.383547068 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:41.437041044 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:42.399019003 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:42.452632904 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:43.414906979 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:43.468251944 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:44.430483103 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:44.484025955 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:45.430768967 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:45.483902931 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:46.446151018 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:46.499490023 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:47.462019920 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:47.515132904 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:48.478281021 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:48.530770063 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:49.492974043 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:49.546371937 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:50.508657932 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:50.562002897 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:51.508786917 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:51.562006950 CET4987480192.168.2.4111.90.147.125
                                                                                                              Dec 3, 2024 09:01:52.525522947 CET8049874111.90.147.125192.168.2.4
                                                                                                              Dec 3, 2024 09:01:52.577637911 CET4987480192.168.2.4111.90.147.125

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 3, 2024 08:59:09.750004053 CET6196653192.168.2.41.1.1.1
                                                                                                              Dec 3, 2024 08:59:10.149921894 CET53619661.1.1.1192.168.2.4

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 3, 2024 08:59:09.750004053 CET192.168.2.41.1.1.10xd549Standard query (0)id72.internetid.ruA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 3, 2024 08:58:49.112268925 CET1.1.1.1192.168.2.40xa46aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:58:49.112268925 CET1.1.1.1192.168.2.40xa46aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:58:59.651021004 CET1.1.1.1192.168.2.40xee5No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:06.456948996 CET1.1.1.1192.168.2.40xf067No error (0)prod.globalsign.map.fastly.net151.101.2.133A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:06.456948996 CET1.1.1.1192.168.2.40xf067No error (0)prod.globalsign.map.fastly.net151.101.130.133A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:06.456948996 CET1.1.1.1192.168.2.40xf067No error (0)prod.globalsign.map.fastly.net151.101.194.133A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:06.456948996 CET1.1.1.1192.168.2.40xf067No error (0)prod.globalsign.map.fastly.net151.101.66.133A (IP address)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:10.149921894 CET1.1.1.1192.168.2.40xd549No error (0)id72.internetid.rumain.internetid.ruCNAME (Canonical name)IN (0x0001)false
                                                                                                              Dec 3, 2024 08:59:10.149921894 CET1.1.1.1192.168.2.40xd549No error (0)main.internetid.ru95.213.205.83A (IP address)IN (0x0001)false

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.449874111.90.147.125808104C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Dec 3, 2024 09:00:03.640391111 CET6OUTData Raw: 00 00 00 07
                                                                                                              Data Ascii:
                                                                                                              Dec 3, 2024 09:00:03.640410900 CET6OUTData Raw: 00 00 00 03
                                                                                                              Data Ascii:
                                                                                                              Dec 3, 2024 09:00:05.231409073 CET4INData Raw: 00 01 12 7e
                                                                                                              Data Ascii: ~
                                                                                                              Dec 3, 2024 09:00:05.231710911 CET6OUTData Raw: 00 01 12 7e
                                                                                                              Data Ascii: ~
                                                                                                              Dec 3, 2024 09:00:05.231734037 CET6OUTData Raw: 00 00 00 01
                                                                                                              Data Ascii:
                                                                                                              Dec 3, 2024 09:00:05.231740952 CET6OUTData Raw: 2d 2d 0d 0a
                                                                                                              Data Ascii: --
                                                                                                              Dec 3, 2024 09:00:05.231762886 CET6OUTData Raw: 00 00 00 2e
                                                                                                              Data Ascii: .
                                                                                                              Dec 3, 2024 09:00:05.231771946 CET46OUTData Raw: 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 20 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 34 00 39 00 34 00 31 00 32 00 36 00 22 00
                                                                                                              Data Ascii: "Computer name: 494126"
                                                                                                              Dec 3, 2024 09:00:06.067918062 CET4INData Raw: 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Dec 3, 2024 09:00:07.071435928 CET4INData Raw: 00 00 00 00
                                                                                                              Data Ascii:


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:02:58:37
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Users\user\Desktop\442.docx.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\Desktop\442.docx.exe"
                                                                                                              Imagebase:0x7ff6e9960000
                                                                                                              File size:25'141'051 bytes
                                                                                                              MD5 hash:FB8117B1A3F0924100FBC209DBBB1BB1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:02:58:39
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                                                                                                              Imagebase:0x7ff7673d0000
                                                                                                              File size:69'632 bytes
                                                                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:02:58:40
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                              Imagebase:0x7ff7673d0000
                                                                                                              File size:69'632 bytes
                                                                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:3
                                                                                                              Start time:02:58:40
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                                                                                                              Imagebase:0xa60000
                                                                                                              File size:1'620'872 bytes
                                                                                                              MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:02:58:41
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 27EB6A3C3744FE0C3070BA0974142203
                                                                                                              Imagebase:0xcb0000
                                                                                                              File size:59'904 bytes
                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:02:58:42
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Windows\System32\sppsvc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                              Imagebase:0x7ff735860000
                                                                                                              File size:4'630'384 bytes
                                                                                                              MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:6
                                                                                                              Start time:02:58:43
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:10
                                                                                                              Start time:02:58:49
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                                                                                                              Imagebase:0xf50000
                                                                                                              File size:11'132'168 bytes
                                                                                                              MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000A.00000000.1833112802.0000000001A05000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                              • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 13%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:12
                                                                                                              Start time:02:58:53
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                                                                                                              Imagebase:0xea0000
                                                                                                              File size:21'764'872 bytes
                                                                                                              MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000C.00000000.1886249822.0000000002361000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                              • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 12%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:15
                                                                                                              Start time:02:58:58
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                              Imagebase:0xea0000
                                                                                                              File size:21'764'872 bytes
                                                                                                              MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:16
                                                                                                              Start time:02:59:00
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                                                                                                              Imagebase:0xea0000
                                                                                                              File size:21'764'872 bytes
                                                                                                              MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:17
                                                                                                              Start time:02:59:01
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                                                                                                              Imagebase:0xea0000
                                                                                                              File size:21'764'872 bytes
                                                                                                              MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000002.3583938234.0000000002AD8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000003.2017043262.0000000005748000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:18
                                                                                                              Start time:02:59:03
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                                                                                                              Imagebase:0xf50000
                                                                                                              File size:11'132'168 bytes
                                                                                                              MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000012.00000002.3578746166.000000000351A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000012.00000002.3578746166.00000000034F6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:19
                                                                                                              Start time:02:59:03
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                              Imagebase:0xf50000
                                                                                                              File size:11'132'168 bytes
                                                                                                              MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3578843843.000000000348A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3578843843.0000000003458000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3584056287.0000000004DC4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3584056287.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:20
                                                                                                              Start time:02:59:12
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                              Imagebase:0xf50000
                                                                                                              File size:11'132'168 bytes
                                                                                                              MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:21
                                                                                                              Start time:02:59:52
                                                                                                              Start date:03/12/2024
                                                                                                              Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                              Imagebase:0xea0000
                                                                                                              File size:21'764'872 bytes
                                                                                                              MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:11.9%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:27%
                                                                                                                Total number of Nodes:2000
                                                                                                                Total number of Limit Nodes:26
                                                                                                                execution_graph 25418 7ff6e99903e0 25419 7ff6e999041f 25418->25419 25420 7ff6e9990497 25418->25420 25422 7ff6e997aae0 48 API calls 25419->25422 25443 7ff6e997aae0 25420->25443 25424 7ff6e9990433 25422->25424 25458 7ff6e997da98 25424->25458 25425 7ff6e997da98 48 API calls 25430 7ff6e9990442 BuildCatchObjectHelperInternal 25425->25430 25428 7ff6e9990541 25455 7ff6e996250c 25428->25455 25435 7ff6e99905cc 25430->25435 25442 7ff6e99905c6 25430->25442 25450 7ff6e9961fa0 25430->25450 25431 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25434 7ff6e99905d2 25431->25434 25435->25431 25461 7ff6e9997904 25442->25461 25444 7ff6e997aaf3 25443->25444 25466 7ff6e9979774 25444->25466 25447 7ff6e997ab58 LoadStringW 25448 7ff6e997ab86 25447->25448 25449 7ff6e997ab71 LoadStringW 25447->25449 25448->25425 25449->25448 25451 7ff6e9961fb3 25450->25451 25452 7ff6e9961fdc 25450->25452 25451->25452 25453 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25451->25453 25452->25428 25454 7ff6e9962000 25453->25454 25456 7ff6e9962516 SetDlgItemTextW 25455->25456 25457 7ff6e9962513 25455->25457 25457->25456 25503 7ff6e997d874 25458->25503 25596 7ff6e999783c 31 API calls 2 library calls 25461->25596 25463 7ff6e999791d 25597 7ff6e9997934 16 API calls abort 25463->25597 25473 7ff6e9979638 25466->25473 25469 7ff6e99797d9 25483 7ff6e9992320 25469->25483 25474 7ff6e9979692 25473->25474 25482 7ff6e9979730 25473->25482 25478 7ff6e99796c0 25474->25478 25496 7ff6e9980f68 WideCharToMultiByte 25474->25496 25476 7ff6e9992320 _handle_error 8 API calls 25477 7ff6e9979764 25476->25477 25477->25469 25492 7ff6e9979800 25477->25492 25481 7ff6e99796ef 25478->25481 25498 7ff6e997aa88 45 API calls _snwprintf 25478->25498 25499 7ff6e999a270 31 API calls 2 library calls 25481->25499 25482->25476 25484 7ff6e9992329 25483->25484 25485 7ff6e99797f2 25484->25485 25486 7ff6e9992550 IsProcessorFeaturePresent 25484->25486 25485->25447 25485->25448 25487 7ff6e9992568 25486->25487 25500 7ff6e9992744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25487->25500 25489 7ff6e999257b 25501 7ff6e9992510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25489->25501 25493 7ff6e9979840 25492->25493 25495 7ff6e9979869 25492->25495 25502 7ff6e999a270 31 API calls 2 library calls 25493->25502 25495->25469 25497 7ff6e9980faa 25496->25497 25497->25478 25498->25481 25499->25482 25500->25489 25502->25495 25519 7ff6e997d4d0 25503->25519 25508 7ff6e997d8e5 _snwprintf 25515 7ff6e997d974 25508->25515 25533 7ff6e9999ef0 25508->25533 25560 7ff6e9969d78 33 API calls 25508->25560 25509 7ff6e997d9a3 25511 7ff6e997da17 25509->25511 25514 7ff6e997da3f 25509->25514 25512 7ff6e9992320 _handle_error 8 API calls 25511->25512 25513 7ff6e997da2b 25512->25513 25513->25430 25516 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25514->25516 25515->25509 25561 7ff6e9969d78 33 API calls 25515->25561 25517 7ff6e997da44 25516->25517 25520 7ff6e997d665 25519->25520 25522 7ff6e997d502 25519->25522 25523 7ff6e997cb80 25520->25523 25521 7ff6e9961744 33 API calls 25521->25522 25522->25520 25522->25521 25524 7ff6e997cbb6 25523->25524 25525 7ff6e997cc80 25523->25525 25528 7ff6e997cc7b 25524->25528 25529 7ff6e997cc20 25524->25529 25531 7ff6e997cbc6 25524->25531 25572 7ff6e9962004 33 API calls std::_Xinvalid_argument 25525->25572 25571 7ff6e9961f80 33 API calls 3 library calls 25528->25571 25529->25531 25562 7ff6e99921d0 25529->25562 25531->25508 25534 7ff6e9999f4e 25533->25534 25535 7ff6e9999f36 25533->25535 25534->25535 25537 7ff6e9999f58 25534->25537 25584 7ff6e999d69c 15 API calls _invalid_parameter_noinfo 25535->25584 25586 7ff6e9997ef0 35 API calls 2 library calls 25537->25586 25538 7ff6e9999f3b 25585 7ff6e99978e4 31 API calls _invalid_parameter_noinfo 25538->25585 25541 7ff6e9999f69 __scrt_get_show_window_mode 25587 7ff6e9997e70 15 API calls _set_errno_from_matherr 25541->25587 25542 7ff6e9992320 _handle_error 8 API calls 25543 7ff6e999a10b 25542->25543 25543->25508 25545 7ff6e9999fd4 25588 7ff6e99982f8 46 API calls 3 library calls 25545->25588 25547 7ff6e9999fdd 25548 7ff6e9999fe5 25547->25548 25549 7ff6e999a014 25547->25549 25589 7ff6e999d90c 25548->25589 25551 7ff6e999a092 25549->25551 25552 7ff6e999a01a 25549->25552 25556 7ff6e999a023 25549->25556 25557 7ff6e999a06c 25549->25557 25554 7ff6e999a09c 25551->25554 25551->25557 25552->25556 25552->25557 25553 7ff6e999d90c __free_lconv_mon 15 API calls 25559 7ff6e9999f46 25553->25559 25558 7ff6e999d90c __free_lconv_mon 15 API calls 25554->25558 25555 7ff6e999d90c __free_lconv_mon 15 API calls 25555->25559 25556->25555 25557->25553 25558->25559 25559->25542 25560->25508 25561->25509 25564 7ff6e99921db 25562->25564 25563 7ff6e99921f4 25563->25531 25564->25563 25566 7ff6e99921fa 25564->25566 25573 7ff6e999bbc0 25564->25573 25569 7ff6e9992205 25566->25569 25576 7ff6e9992f7c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 25566->25576 25577 7ff6e9961f80 33 API calls 3 library calls 25569->25577 25570 7ff6e999220b 25571->25525 25578 7ff6e999bc00 25573->25578 25576->25569 25577->25570 25583 7ff6e999f398 EnterCriticalSection 25578->25583 25584->25538 25585->25559 25586->25541 25587->25545 25588->25547 25590 7ff6e999d911 RtlFreeHeap 25589->25590 25591 7ff6e999d941 __free_lconv_mon 25589->25591 25590->25591 25592 7ff6e999d92c 25590->25592 25591->25559 25595 7ff6e999d69c 15 API calls _invalid_parameter_noinfo 25592->25595 25594 7ff6e999d931 GetLastError 25594->25591 25595->25594 25596->25463 25603 7ff6e99920f0 25604 7ff6e9992106 _com_error::_com_error 25603->25604 25609 7ff6e9994078 25604->25609 25606 7ff6e9992117 25614 7ff6e9991900 25606->25614 25610 7ff6e99940b4 RtlPcToFileHeader 25609->25610 25611 7ff6e9994097 25609->25611 25612 7ff6e99940db RaiseException 25610->25612 25613 7ff6e99940cc 25610->25613 25611->25610 25612->25606 25613->25612 25640 7ff6e9991558 25614->25640 25617 7ff6e999198b 25618 7ff6e9991868 DloadReleaseSectionWriteAccess 6 API calls 25617->25618 25619 7ff6e9991998 RaiseException 25618->25619 25620 7ff6e9991bb5 25619->25620 25621 7ff6e9991abd 25623 7ff6e9991b85 25621->25623 25628 7ff6e9991b1b GetProcAddress 25621->25628 25622 7ff6e9991a3d LoadLibraryExA 25624 7ff6e9991a54 GetLastError 25622->25624 25625 7ff6e9991aa9 25622->25625 25648 7ff6e9991868 25623->25648 25629 7ff6e9991a7e 25624->25629 25635 7ff6e9991a69 25624->25635 25625->25621 25626 7ff6e9991ab4 FreeLibrary 25625->25626 25626->25621 25627 7ff6e99919b4 25627->25621 25627->25622 25627->25623 25627->25625 25628->25623 25631 7ff6e9991b30 GetLastError 25628->25631 25630 7ff6e9991868 DloadReleaseSectionWriteAccess 6 API calls 25629->25630 25633 7ff6e9991a8b RaiseException 25630->25633 25634 7ff6e9991b45 25631->25634 25633->25620 25634->25623 25636 7ff6e9991868 DloadReleaseSectionWriteAccess 6 API calls 25634->25636 25635->25625 25635->25629 25637 7ff6e9991b67 RaiseException 25636->25637 25638 7ff6e9991558 _com_raise_error 6 API calls 25637->25638 25639 7ff6e9991b81 25638->25639 25639->25623 25641 7ff6e999156e 25640->25641 25642 7ff6e99915d3 25640->25642 25656 7ff6e9991604 25641->25656 25642->25617 25642->25627 25645 7ff6e99915ce 25646 7ff6e9991604 DloadReleaseSectionWriteAccess 3 API calls 25645->25646 25646->25642 25649 7ff6e9991878 25648->25649 25655 7ff6e99918d1 25648->25655 25650 7ff6e9991604 DloadReleaseSectionWriteAccess 3 API calls 25649->25650 25651 7ff6e999187d 25650->25651 25652 7ff6e99918cc 25651->25652 25653 7ff6e99917d8 DloadProtectSection 3 API calls 25651->25653 25654 7ff6e9991604 DloadReleaseSectionWriteAccess 3 API calls 25652->25654 25653->25652 25654->25655 25655->25620 25657 7ff6e999161f 25656->25657 25658 7ff6e9991573 25656->25658 25657->25658 25659 7ff6e9991624 GetModuleHandleW 25657->25659 25658->25645 25663 7ff6e99917d8 25658->25663 25660 7ff6e999163e GetProcAddress 25659->25660 25661 7ff6e9991639 25659->25661 25660->25661 25662 7ff6e9991653 GetProcAddress 25660->25662 25661->25658 25662->25661 25665 7ff6e99917fa DloadProtectSection 25663->25665 25664 7ff6e9991802 25664->25645 25665->25664 25666 7ff6e999183a VirtualProtect 25665->25666 25668 7ff6e99916a4 VirtualQuery GetSystemInfo 25665->25668 25666->25664 25668->25666 26385 7ff6e99911cf 26387 7ff6e9991102 26385->26387 26386 7ff6e9991900 _com_raise_error 14 API calls 26386->26387 26387->26386 26360 7ff6e999bf2c 26367 7ff6e999bc34 26360->26367 26372 7ff6e999d440 35 API calls 3 library calls 26367->26372 26371 7ff6e999bc3f 26373 7ff6e999d068 35 API calls abort 26371->26373 26372->26371 25602 7ff6e9990df5 14 API calls _com_raise_error 25674 7ff6e9992d6c 25699 7ff6e99927fc 25674->25699 25677 7ff6e9992eb8 25797 7ff6e9993170 7 API calls 2 library calls 25677->25797 25678 7ff6e9992d88 __scrt_acquire_startup_lock 25680 7ff6e9992ec2 25678->25680 25682 7ff6e9992da6 25678->25682 25798 7ff6e9993170 7 API calls 2 library calls 25680->25798 25683 7ff6e9992dcb 25682->25683 25689 7ff6e9992de8 __scrt_release_startup_lock 25682->25689 25707 7ff6e999cd90 25682->25707 25684 7ff6e9992ecd abort 25686 7ff6e9992e51 25711 7ff6e99932bc 25686->25711 25688 7ff6e9992e56 25714 7ff6e999cd20 25688->25714 25689->25686 25794 7ff6e999c050 35 API calls __GSHandlerCheck_EH 25689->25794 25799 7ff6e9992fb0 25699->25799 25702 7ff6e9992827 25702->25677 25702->25678 25703 7ff6e999282b 25801 7ff6e999cc50 25703->25801 25708 7ff6e999cdeb 25707->25708 25709 7ff6e999cdcc 25707->25709 25708->25689 25709->25708 25818 7ff6e9961120 25709->25818 25861 7ff6e9993cf0 25711->25861 25863 7ff6e99a0730 25714->25863 25716 7ff6e9992e5e 25719 7ff6e9990754 25716->25719 25717 7ff6e999cd2f 25717->25716 25867 7ff6e99a0ac0 35 API calls swprintf 25717->25867 25869 7ff6e997dfd0 25719->25869 25723 7ff6e999079a 25956 7ff6e998946c 25723->25956 25725 7ff6e99907a4 __scrt_get_show_window_mode 25961 7ff6e9989a14 25725->25961 25727 7ff6e9990ddc 25730 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25727->25730 25728 7ff6e999096e GetCommandLineW 25732 7ff6e9990980 25728->25732 25733 7ff6e9990b42 25728->25733 25729 7ff6e9990819 25729->25727 25729->25728 25731 7ff6e9990de2 25730->25731 25736 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25731->25736 26018 7ff6e996129c 25732->26018 25971 7ff6e9976454 25733->25971 25735 7ff6e9990b51 25738 7ff6e9961fa0 31 API calls 25735->25738 25741 7ff6e9990b68 BuildCatchObjectHelperInternal 25735->25741 25746 7ff6e9990de8 25736->25746 25738->25741 25739 7ff6e9961fa0 31 API calls 25742 7ff6e9990b93 SetEnvironmentVariableW GetLocalTime 25739->25742 25740 7ff6e99909a5 26028 7ff6e998cad0 102 API calls 3 library calls 25740->26028 25741->25739 25983 7ff6e9973e28 25742->25983 25743 7ff6e9991900 _com_raise_error 14 API calls 25743->25746 25746->25743 25747 7ff6e99909af 25747->25731 25749 7ff6e99909f9 OpenFileMappingW 25747->25749 25750 7ff6e9990adb 25747->25750 25752 7ff6e9990ad0 CloseHandle 25749->25752 25753 7ff6e9990a19 MapViewOfFile 25749->25753 25757 7ff6e996129c 33 API calls 25750->25757 25752->25733 25753->25752 25755 7ff6e9990a3f UnmapViewOfFile MapViewOfFile 25753->25755 25755->25752 25758 7ff6e9990a71 25755->25758 25760 7ff6e9990b00 25757->25760 26029 7ff6e998a190 33 API calls 2 library calls 25758->26029 25759 7ff6e9990c75 26011 7ff6e99867b4 25759->26011 26033 7ff6e998fd0c 35 API calls 2 library calls 25760->26033 25765 7ff6e9990a81 26030 7ff6e998fd0c 35 API calls 2 library calls 25765->26030 25766 7ff6e99867b4 33 API calls 25769 7ff6e9990c87 DialogBoxParamW 25766->25769 25767 7ff6e9990b0a 25767->25733 25772 7ff6e9990dd7 25767->25772 25776 7ff6e9990cd3 25769->25776 25770 7ff6e9990a90 26031 7ff6e997b9b4 102 API calls 25770->26031 25774 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25772->25774 25773 7ff6e9990aa5 26032 7ff6e997bb00 102 API calls 25773->26032 25774->25727 25778 7ff6e9990ce6 Sleep 25776->25778 25779 7ff6e9990cec 25776->25779 25777 7ff6e9990ab8 25780 7ff6e9990ac7 UnmapViewOfFile 25777->25780 25778->25779 25781 7ff6e9990cfa 25779->25781 26034 7ff6e9989f4c 49 API calls 2 library calls 25779->26034 25780->25752 25783 7ff6e9990d06 DeleteObject 25781->25783 25784 7ff6e9990d1f DeleteObject 25783->25784 25785 7ff6e9990d25 25783->25785 25784->25785 25786 7ff6e9990d5b 25785->25786 25787 7ff6e9990d6d 25785->25787 26035 7ff6e998fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 25786->26035 26014 7ff6e99894e4 25787->26014 25789 7ff6e9990d60 CloseHandle 25789->25787 25794->25686 25797->25680 25798->25684 25800 7ff6e999281e __scrt_dllmain_crt_thread_attach 25799->25800 25800->25702 25800->25703 25802 7ff6e99a0d4c 25801->25802 25803 7ff6e9992830 25802->25803 25806 7ff6e999ec00 25802->25806 25803->25702 25805 7ff6e99951a0 7 API calls 2 library calls 25803->25805 25805->25702 25817 7ff6e999f398 EnterCriticalSection 25806->25817 25823 7ff6e99691c8 25818->25823 25822 7ff6e9992a01 25822->25709 25831 7ff6e99756a4 25823->25831 25825 7ff6e99691df 25834 7ff6e997b788 25825->25834 25829 7ff6e9961130 25830 7ff6e99929bc 34 API calls 25829->25830 25830->25822 25840 7ff6e99756e8 25831->25840 25849 7ff6e99613a4 25834->25849 25837 7ff6e9969a28 25838 7ff6e99756e8 2 API calls 25837->25838 25839 7ff6e9969a36 25838->25839 25839->25829 25841 7ff6e99756fe __scrt_get_show_window_mode 25840->25841 25844 7ff6e997eba4 25841->25844 25847 7ff6e997eb58 GetCurrentProcess GetProcessAffinityMask 25844->25847 25848 7ff6e99756de 25847->25848 25848->25825 25850 7ff6e99613ad 25849->25850 25858 7ff6e996142d 25849->25858 25851 7ff6e996143d 25850->25851 25853 7ff6e99613ce 25850->25853 25860 7ff6e9962018 33 API calls std::_Xinvalid_argument 25851->25860 25855 7ff6e99921d0 33 API calls 25853->25855 25856 7ff6e99613db __scrt_get_show_window_mode 25853->25856 25855->25856 25859 7ff6e996197c 31 API calls _invalid_parameter_noinfo_noreturn 25856->25859 25858->25837 25859->25858 25862 7ff6e99932d3 GetStartupInfoW 25861->25862 25862->25688 25864 7ff6e99a0749 25863->25864 25865 7ff6e99a073d 25863->25865 25864->25717 25868 7ff6e99a0570 48 API calls 4 library calls 25865->25868 25867->25717 25868->25864 26036 7ff6e9992450 25869->26036 25872 7ff6e997e07b 25874 7ff6e997e503 25872->25874 26069 7ff6e999b788 39 API calls 2 library calls 25872->26069 25873 7ff6e997e026 GetProcAddress 25875 7ff6e997e03b 25873->25875 25876 7ff6e997e053 GetProcAddress 25873->25876 25878 7ff6e9976454 34 API calls 25874->25878 25875->25876 25876->25872 25879 7ff6e997e068 25876->25879 25881 7ff6e997e50c 25878->25881 25879->25872 25880 7ff6e997e3b0 25880->25874 25882 7ff6e997e3ba 25880->25882 26038 7ff6e9977df4 25881->26038 25884 7ff6e9976454 34 API calls 25882->25884 25885 7ff6e997e3c3 CreateFileW 25884->25885 25887 7ff6e997e403 SetFilePointer 25885->25887 25888 7ff6e997e4f0 CloseHandle 25885->25888 25887->25888 25890 7ff6e997e41c ReadFile 25887->25890 25891 7ff6e9961fa0 31 API calls 25888->25891 25889 7ff6e997e51a 25896 7ff6e997e53e CompareStringW 25889->25896 25897 7ff6e996129c 33 API calls 25889->25897 25903 7ff6e9961fa0 31 API calls 25889->25903 25931 7ff6e997e5cc 25889->25931 26046 7ff6e99751a4 25889->26046 26051 7ff6e9978090 25889->26051 26055 7ff6e99732bc 25889->26055 25890->25888 25892 7ff6e997e444 25890->25892 25891->25874 25893 7ff6e997e800 25892->25893 25898 7ff6e997e458 25892->25898 26075 7ff6e9992624 8 API calls 25893->26075 25895 7ff6e997e805 25896->25889 25897->25889 25899 7ff6e996129c 33 API calls 25898->25899 25904 7ff6e997e48f 25899->25904 25902 7ff6e997e63a 25905 7ff6e997e648 25902->25905 25906 7ff6e997e7c2 25902->25906 25903->25889 25907 7ff6e997e4db 25904->25907 26070 7ff6e997d0a0 33 API calls 25904->26070 26071 7ff6e9977eb0 47 API calls 25905->26071 25909 7ff6e9961fa0 31 API calls 25906->25909 25911 7ff6e9961fa0 31 API calls 25907->25911 25913 7ff6e997e7cb 25909->25913 25914 7ff6e997e4e5 25911->25914 25912 7ff6e997e651 25915 7ff6e99751a4 9 API calls 25912->25915 25917 7ff6e9961fa0 31 API calls 25913->25917 25918 7ff6e9961fa0 31 API calls 25914->25918 25919 7ff6e997e656 25915->25919 25916 7ff6e996129c 33 API calls 25916->25931 25920 7ff6e997e7d5 25917->25920 25918->25888 25921 7ff6e997e706 25919->25921 25928 7ff6e997e661 25919->25928 25923 7ff6e9992320 _handle_error 8 API calls 25920->25923 25924 7ff6e997da98 48 API calls 25921->25924 25922 7ff6e9978090 47 API calls 25922->25931 25925 7ff6e997e7e4 25923->25925 25926 7ff6e997e74b AllocConsole 25924->25926 25946 7ff6e99762dc GetCurrentDirectoryW 25925->25946 25929 7ff6e997e755 GetCurrentProcessId AttachConsole 25926->25929 25930 7ff6e997e6fb 25926->25930 25927 7ff6e9961fa0 31 API calls 25927->25931 25934 7ff6e997aae0 48 API calls 25928->25934 25932 7ff6e997e76c 25929->25932 26074 7ff6e99619e0 31 API calls _invalid_parameter_noinfo_noreturn 25930->26074 25931->25902 25931->25916 25931->25922 25931->25927 25933 7ff6e99732bc 51 API calls 25931->25933 25939 7ff6e997e778 GetStdHandle WriteConsoleW Sleep FreeConsole 25932->25939 25933->25931 25936 7ff6e997e6a5 25934->25936 25938 7ff6e997da98 48 API calls 25936->25938 25937 7ff6e997e7b9 ExitProcess 25940 7ff6e997e6c3 25938->25940 25939->25930 25941 7ff6e997aae0 48 API calls 25940->25941 25942 7ff6e997e6ce 25941->25942 26072 7ff6e997dc2c 33 API calls 25942->26072 25944 7ff6e997e6da 26073 7ff6e99619e0 31 API calls _invalid_parameter_noinfo_noreturn 25944->26073 25947 7ff6e9976300 25946->25947 25952 7ff6e997638d 25946->25952 25948 7ff6e99613a4 33 API calls 25947->25948 25949 7ff6e997631b GetCurrentDirectoryW 25948->25949 25950 7ff6e9976341 25949->25950 26176 7ff6e99620b0 25950->26176 25952->25723 25953 7ff6e997634f 25953->25952 25954 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25953->25954 25955 7ff6e99763a9 25954->25955 25957 7ff6e997dd88 25956->25957 25958 7ff6e9989481 OleInitialize 25957->25958 25959 7ff6e99894a7 25958->25959 25960 7ff6e99894cd SHGetMalloc 25959->25960 25960->25725 25962 7ff6e9989a49 25961->25962 25964 7ff6e9989a4e BuildCatchObjectHelperInternal 25961->25964 25963 7ff6e9961fa0 31 API calls 25962->25963 25963->25964 25965 7ff6e9989a7d BuildCatchObjectHelperInternal 25964->25965 25966 7ff6e9961fa0 31 API calls 25964->25966 25967 7ff6e9961fa0 31 API calls 25965->25967 25968 7ff6e9989aac BuildCatchObjectHelperInternal 25965->25968 25966->25965 25967->25968 25969 7ff6e9961fa0 31 API calls 25968->25969 25970 7ff6e9989adb BuildCatchObjectHelperInternal 25968->25970 25969->25970 25970->25729 25972 7ff6e99613a4 33 API calls 25971->25972 25973 7ff6e9976489 25972->25973 25974 7ff6e997648c GetModuleFileNameW 25973->25974 25977 7ff6e99764dc 25973->25977 25975 7ff6e99764a7 25974->25975 25976 7ff6e99764de 25974->25976 25975->25973 25976->25977 25978 7ff6e996129c 33 API calls 25977->25978 25980 7ff6e9976506 25978->25980 25979 7ff6e997653e 25979->25735 25980->25979 25981 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 25980->25981 25982 7ff6e9976560 25981->25982 25984 7ff6e9973e4d _snwprintf 25983->25984 25985 7ff6e9999ef0 swprintf 46 API calls 25984->25985 25986 7ff6e9973e69 SetEnvironmentVariableW GetModuleHandleW LoadIconW 25985->25986 25987 7ff6e998b014 LoadBitmapW 25986->25987 25988 7ff6e998b03e 25987->25988 25989 7ff6e998b046 25987->25989 26181 7ff6e9988624 FindResourceExW 25988->26181 25991 7ff6e998b04e GetObjectW 25989->25991 25992 7ff6e998b063 25989->25992 25991->25992 26196 7ff6e998849c 25992->26196 25995 7ff6e998b0ce 26006 7ff6e99798ac 25995->26006 25996 7ff6e998b09e 26201 7ff6e9988504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25996->26201 25998 7ff6e9988624 11 API calls 26000 7ff6e998b08a 25998->26000 25999 7ff6e998b0a7 26202 7ff6e99884cc 25999->26202 26000->25996 26002 7ff6e998b092 DeleteObject 26000->26002 26002->25996 26005 7ff6e998b0bf DeleteObject 26005->25995 26209 7ff6e99798dc 26006->26209 26008 7ff6e99798ba 26276 7ff6e997a43c GetModuleHandleW FindResourceW 26008->26276 26010 7ff6e99798c2 26010->25759 26012 7ff6e99921d0 33 API calls 26011->26012 26013 7ff6e99867fa 26012->26013 26013->25766 26015 7ff6e9989501 26014->26015 26016 7ff6e998950a OleUninitialize 26015->26016 26017 7ff6e99ce330 26016->26017 26019 7ff6e99612d0 26018->26019 26026 7ff6e996139b 26018->26026 26020 7ff6e99612de BuildCatchObjectHelperInternal 26019->26020 26023 7ff6e9961396 26019->26023 26025 7ff6e9961338 26019->26025 26020->25740 26358 7ff6e9961f80 33 API calls 3 library calls 26023->26358 26025->26020 26027 7ff6e99921d0 33 API calls 26025->26027 26359 7ff6e9962004 33 API calls std::_Xinvalid_argument 26026->26359 26027->26020 26028->25747 26029->25765 26030->25770 26031->25773 26032->25777 26033->25767 26034->25781 26035->25789 26037 7ff6e997dff4 GetModuleHandleW 26036->26037 26037->25872 26037->25873 26039 7ff6e9977e0c 26038->26039 26040 7ff6e9977e55 26039->26040 26041 7ff6e9977e23 26039->26041 26076 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26040->26076 26044 7ff6e996129c 33 API calls 26041->26044 26043 7ff6e9977e5a 26045 7ff6e9977e47 26044->26045 26045->25889 26047 7ff6e99751c8 GetVersionExW 26046->26047 26048 7ff6e99751fb 26046->26048 26047->26048 26049 7ff6e9992320 _handle_error 8 API calls 26048->26049 26050 7ff6e9975228 26049->26050 26050->25889 26052 7ff6e99780a5 26051->26052 26077 7ff6e9978188 26052->26077 26054 7ff6e99780ca 26054->25889 26056 7ff6e99732e7 GetFileAttributesW 26055->26056 26057 7ff6e99732e4 26055->26057 26058 7ff6e99732f8 26056->26058 26065 7ff6e9973375 26056->26065 26057->26056 26086 7ff6e9976a0c 26058->26086 26060 7ff6e9992320 _handle_error 8 API calls 26062 7ff6e9973389 26060->26062 26062->25889 26063 7ff6e997333c 26063->26065 26066 7ff6e9973399 26063->26066 26064 7ff6e9973323 GetFileAttributesW 26064->26063 26065->26060 26067 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26066->26067 26068 7ff6e997339e 26067->26068 26069->25880 26070->25904 26071->25912 26072->25944 26073->25930 26074->25937 26075->25895 26076->26043 26078 7ff6e9978326 26077->26078 26081 7ff6e99781ba 26077->26081 26085 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26078->26085 26080 7ff6e997832b 26083 7ff6e99781d4 BuildCatchObjectHelperInternal 26081->26083 26084 7ff6e99758a4 33 API calls 2 library calls 26081->26084 26083->26054 26084->26083 26085->26080 26087 7ff6e9976a4b 26086->26087 26102 7ff6e9976a44 26086->26102 26089 7ff6e996129c 33 API calls 26087->26089 26088 7ff6e9992320 _handle_error 8 API calls 26090 7ff6e997331f 26088->26090 26091 7ff6e9976a76 26089->26091 26090->26063 26090->26064 26092 7ff6e9976a96 26091->26092 26093 7ff6e9976cc7 26091->26093 26095 7ff6e9976ab0 26092->26095 26117 7ff6e9976b49 26092->26117 26094 7ff6e99762dc 35 API calls 26093->26094 26097 7ff6e9976ce6 26094->26097 26096 7ff6e99770ab 26095->26096 26159 7ff6e996c098 33 API calls 2 library calls 26095->26159 26171 7ff6e9962004 33 API calls std::_Xinvalid_argument 26096->26171 26098 7ff6e9976eef 26097->26098 26104 7ff6e9976d1b 26097->26104 26157 7ff6e9976b44 26097->26157 26103 7ff6e99770cf 26098->26103 26168 7ff6e996c098 33 API calls 2 library calls 26098->26168 26100 7ff6e99770b1 26110 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26100->26110 26102->26088 26174 7ff6e9962004 33 API calls std::_Xinvalid_argument 26103->26174 26108 7ff6e99770bd 26104->26108 26162 7ff6e996c098 33 API calls 2 library calls 26104->26162 26106 7ff6e9976b03 26119 7ff6e9961fa0 31 API calls 26106->26119 26125 7ff6e9976b15 BuildCatchObjectHelperInternal 26106->26125 26172 7ff6e9962004 33 API calls std::_Xinvalid_argument 26108->26172 26109 7ff6e99770d5 26111 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26109->26111 26116 7ff6e99770b7 26110->26116 26118 7ff6e99770db 26111->26118 26112 7ff6e99770a6 26123 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26112->26123 26113 7ff6e9976f56 26169 7ff6e99611cc 33 API calls BuildCatchObjectHelperInternal 26113->26169 26127 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26116->26127 26124 7ff6e996129c 33 API calls 26117->26124 26117->26157 26129 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26118->26129 26119->26125 26121 7ff6e99770c3 26132 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26121->26132 26122 7ff6e9961fa0 31 API calls 26122->26157 26123->26096 26130 7ff6e9976bbe 26124->26130 26125->26122 26126 7ff6e9976f69 26170 7ff6e99757ac 33 API calls BuildCatchObjectHelperInternal 26126->26170 26127->26108 26128 7ff6e9961fa0 31 API calls 26142 7ff6e9976df5 26128->26142 26133 7ff6e99770e1 26129->26133 26160 7ff6e9975820 33 API calls 26130->26160 26135 7ff6e99770c9 26132->26135 26173 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26135->26173 26136 7ff6e9976bd3 26161 7ff6e996e164 33 API calls 2 library calls 26136->26161 26137 7ff6e9976d76 BuildCatchObjectHelperInternal 26137->26121 26137->26128 26138 7ff6e9961fa0 31 API calls 26141 7ff6e9976fec 26138->26141 26143 7ff6e9961fa0 31 API calls 26141->26143 26148 7ff6e9976e21 26142->26148 26163 7ff6e9961744 33 API calls 4 library calls 26142->26163 26147 7ff6e9976ff6 26143->26147 26144 7ff6e9976f79 BuildCatchObjectHelperInternal 26144->26118 26144->26138 26146 7ff6e9961fa0 31 API calls 26149 7ff6e9976c6d 26146->26149 26150 7ff6e9961fa0 31 API calls 26147->26150 26148->26135 26151 7ff6e996129c 33 API calls 26148->26151 26153 7ff6e9961fa0 31 API calls 26149->26153 26150->26157 26154 7ff6e9976ec2 26151->26154 26152 7ff6e9976be9 BuildCatchObjectHelperInternal 26152->26116 26152->26146 26153->26157 26164 7ff6e9962034 26154->26164 26156 7ff6e9976edf 26158 7ff6e9961fa0 31 API calls 26156->26158 26157->26100 26157->26102 26157->26109 26157->26112 26158->26157 26159->26106 26160->26136 26161->26152 26162->26137 26163->26148 26165 7ff6e9962085 26164->26165 26167 7ff6e9962059 BuildCatchObjectHelperInternal 26164->26167 26175 7ff6e99615b8 33 API calls 3 library calls 26165->26175 26167->26156 26168->26113 26169->26126 26170->26144 26173->26103 26175->26167 26177 7ff6e99620f6 26176->26177 26179 7ff6e99620cb BuildCatchObjectHelperInternal 26176->26179 26180 7ff6e9961474 33 API calls 3 library calls 26177->26180 26179->25953 26180->26179 26182 7ff6e998864f SizeofResource 26181->26182 26187 7ff6e998879b 26181->26187 26183 7ff6e9988669 LoadResource 26182->26183 26182->26187 26184 7ff6e9988682 LockResource 26183->26184 26183->26187 26185 7ff6e9988697 GlobalAlloc 26184->26185 26184->26187 26186 7ff6e99886b8 GlobalLock 26185->26186 26185->26187 26188 7ff6e9988792 GlobalFree 26186->26188 26189 7ff6e99886ca BuildCatchObjectHelperInternal 26186->26189 26187->25989 26188->26187 26190 7ff6e99886d8 CreateStreamOnHGlobal 26189->26190 26191 7ff6e99886f6 GdipAlloc 26190->26191 26192 7ff6e9988789 GlobalUnlock 26190->26192 26193 7ff6e998870b 26191->26193 26192->26188 26193->26192 26194 7ff6e9988772 26193->26194 26195 7ff6e998875a GdipCreateHBITMAPFromBitmap 26193->26195 26194->26192 26195->26194 26197 7ff6e99884cc 4 API calls 26196->26197 26198 7ff6e99884aa 26197->26198 26199 7ff6e99884b9 26198->26199 26207 7ff6e9988504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26198->26207 26199->25995 26199->25996 26199->25998 26201->25999 26203 7ff6e99884de 26202->26203 26204 7ff6e99884e3 26202->26204 26208 7ff6e9988590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26203->26208 26206 7ff6e9988df4 16 API calls _handle_error 26204->26206 26206->26005 26207->26199 26208->26204 26212 7ff6e99798fe _snwprintf 26209->26212 26210 7ff6e9979973 26327 7ff6e99768b0 48 API calls 26210->26327 26212->26210 26213 7ff6e9979a89 26212->26213 26216 7ff6e99799fd 26213->26216 26218 7ff6e99620b0 33 API calls 26213->26218 26214 7ff6e9961fa0 31 API calls 26214->26216 26215 7ff6e997997d BuildCatchObjectHelperInternal 26215->26214 26274 7ff6e997a42e 26215->26274 26278 7ff6e99724c0 26216->26278 26217 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26219 7ff6e997a434 26217->26219 26218->26216 26222 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26219->26222 26224 7ff6e997a43a 26222->26224 26223 7ff6e9979a22 26226 7ff6e997204c 100 API calls 26223->26226 26225 7ff6e9979b17 26296 7ff6e999a450 26225->26296 26228 7ff6e9979a2b 26226->26228 26228->26219 26230 7ff6e9979a66 26228->26230 26229 7ff6e9979aad 26229->26225 26234 7ff6e9978e58 33 API calls 26229->26234 26233 7ff6e9992320 _handle_error 8 API calls 26230->26233 26232 7ff6e999a450 31 API calls 26246 7ff6e9979b57 __vcrt_InitializeCriticalSectionEx 26232->26246 26235 7ff6e997a40e 26233->26235 26234->26229 26235->26008 26236 7ff6e9979c89 26237 7ff6e9972aa0 101 API calls 26236->26237 26250 7ff6e9979d5c 26236->26250 26240 7ff6e9979ca1 26237->26240 26241 7ff6e99728d0 104 API calls 26240->26241 26240->26250 26247 7ff6e9979cc9 26241->26247 26246->26236 26246->26250 26304 7ff6e9972bb0 26246->26304 26313 7ff6e99728d0 26246->26313 26318 7ff6e9972aa0 26246->26318 26249 7ff6e9979cd7 __vcrt_InitializeCriticalSectionEx 26247->26249 26247->26250 26328 7ff6e9980bbc MultiByteToWideChar 26247->26328 26249->26250 26251 7ff6e997a1ec 26249->26251 26253 7ff6e997a157 26249->26253 26256 7ff6e997a14b 26249->26256 26270 7ff6e997a429 26249->26270 26271 7ff6e9980f68 WideCharToMultiByte 26249->26271 26329 7ff6e997aa88 45 API calls _snwprintf 26249->26329 26330 7ff6e999a270 31 API calls 2 library calls 26249->26330 26323 7ff6e997204c 26250->26323 26255 7ff6e997a2c2 26251->26255 26334 7ff6e999cf90 31 API calls 2 library calls 26251->26334 26253->26251 26331 7ff6e999cf90 31 API calls 2 library calls 26253->26331 26254 7ff6e997a249 26335 7ff6e999b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26254->26335 26259 7ff6e997a3a2 26255->26259 26268 7ff6e9978e58 33 API calls 26255->26268 26256->26008 26261 7ff6e999a450 31 API calls 26259->26261 26260 7ff6e997a2ae 26260->26255 26336 7ff6e9978cd0 33 API calls 2 library calls 26260->26336 26263 7ff6e997a3cb 26261->26263 26265 7ff6e999a450 31 API calls 26263->26265 26264 7ff6e997a16d 26332 7ff6e999b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26264->26332 26265->26250 26267 7ff6e997a1d8 26267->26251 26333 7ff6e9978cd0 33 API calls 2 library calls 26267->26333 26268->26255 26337 7ff6e9992624 8 API calls 26270->26337 26271->26249 26274->26217 26277 7ff6e997a468 26276->26277 26277->26010 26279 7ff6e99724fd CreateFileW 26278->26279 26281 7ff6e99725ae GetLastError 26279->26281 26291 7ff6e997266e 26279->26291 26282 7ff6e9976a0c 49 API calls 26281->26282 26283 7ff6e99725dc 26282->26283 26284 7ff6e99725e0 CreateFileW GetLastError 26283->26284 26290 7ff6e997262c 26283->26290 26284->26290 26285 7ff6e99726b1 SetFileTime 26289 7ff6e99726cf 26285->26289 26286 7ff6e9972708 26287 7ff6e9992320 _handle_error 8 API calls 26286->26287 26288 7ff6e997271b 26287->26288 26288->26223 26288->26229 26289->26286 26292 7ff6e99620b0 33 API calls 26289->26292 26290->26291 26293 7ff6e9972736 26290->26293 26291->26285 26291->26289 26292->26286 26294 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26293->26294 26295 7ff6e997273b 26294->26295 26297 7ff6e999a47d 26296->26297 26303 7ff6e999a492 26297->26303 26338 7ff6e999d69c 15 API calls _invalid_parameter_noinfo 26297->26338 26299 7ff6e999a487 26339 7ff6e99978e4 31 API calls _invalid_parameter_noinfo 26299->26339 26300 7ff6e9992320 _handle_error 8 API calls 26302 7ff6e9979b37 26300->26302 26302->26232 26303->26300 26305 7ff6e9972bcd 26304->26305 26309 7ff6e9972be9 26304->26309 26306 7ff6e9972bfb 26305->26306 26340 7ff6e996b9c4 99 API calls std::_Xinvalid_argument 26305->26340 26306->26246 26308 7ff6e9972c01 SetFilePointer 26308->26306 26310 7ff6e9972c1e GetLastError 26308->26310 26309->26306 26309->26308 26310->26306 26311 7ff6e9972c28 26310->26311 26311->26306 26341 7ff6e996b9c4 99 API calls std::_Xinvalid_argument 26311->26341 26314 7ff6e99728fd 26313->26314 26315 7ff6e99728f6 26313->26315 26314->26315 26317 7ff6e9972320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26314->26317 26342 7ff6e996b8a4 99 API calls std::_Xinvalid_argument 26314->26342 26315->26246 26317->26314 26343 7ff6e9972778 26318->26343 26321 7ff6e9972ac7 26321->26246 26324 7ff6e9972066 26323->26324 26325 7ff6e9972072 26323->26325 26324->26325 26351 7ff6e99720d0 26324->26351 26327->26215 26328->26249 26329->26249 26330->26249 26331->26264 26332->26267 26333->26251 26334->26254 26335->26260 26336->26255 26337->26274 26338->26299 26339->26303 26349 7ff6e9972789 _snwprintf 26343->26349 26344 7ff6e9972890 SetFilePointer 26346 7ff6e99727b5 26344->26346 26348 7ff6e99728b8 GetLastError 26344->26348 26345 7ff6e9992320 _handle_error 8 API calls 26347 7ff6e997281d 26345->26347 26346->26345 26347->26321 26350 7ff6e996b9c4 99 API calls std::_Xinvalid_argument 26347->26350 26348->26346 26349->26344 26349->26346 26352 7ff6e99720ea 26351->26352 26354 7ff6e9972102 26351->26354 26352->26354 26355 7ff6e99720f6 CloseHandle 26352->26355 26353 7ff6e9972126 26353->26325 26354->26353 26357 7ff6e996b544 99 API calls 26354->26357 26355->26354 26357->26353 26358->26026 28393 7ff6e999d94c 28394 7ff6e999d997 28393->28394 28398 7ff6e999d95b _invalid_parameter_noinfo 28393->28398 28400 7ff6e999d69c 15 API calls _invalid_parameter_noinfo 28394->28400 28396 7ff6e999d97e HeapAlloc 28397 7ff6e999d995 28396->28397 28396->28398 28398->28394 28398->28396 28399 7ff6e999bbc0 _invalid_parameter_noinfo 2 API calls 28398->28399 28399->28398 28400->28397 26388 7ff6e998b190 26731 7ff6e996255c 26388->26731 26390 7ff6e998b1db 26391 7ff6e998b1ef 26390->26391 26392 7ff6e998be93 26390->26392 26441 7ff6e998b20c 26390->26441 26395 7ff6e998b1ff 26391->26395 26396 7ff6e998b2db 26391->26396 26391->26441 26997 7ff6e998f390 26392->26997 26400 7ff6e998b207 26395->26400 26401 7ff6e998b2a9 26395->26401 26403 7ff6e998b391 26396->26403 26408 7ff6e998b2f5 26396->26408 26397 7ff6e9992320 _handle_error 8 API calls 26402 7ff6e998c350 26397->26402 26398 7ff6e998bec9 26405 7ff6e998bef0 GetDlgItem SendMessageW 26398->26405 26406 7ff6e998bed5 SendDlgItemMessageW 26398->26406 26399 7ff6e998beba SendMessageW 26399->26398 26411 7ff6e997aae0 48 API calls 26400->26411 26400->26441 26407 7ff6e998b2cb EndDialog 26401->26407 26401->26441 26739 7ff6e99622bc GetDlgItem 26403->26739 26410 7ff6e99762dc 35 API calls 26405->26410 26406->26405 26407->26441 26412 7ff6e997aae0 48 API calls 26408->26412 26414 7ff6e998bf47 GetDlgItem 26410->26414 26415 7ff6e998b236 26411->26415 26416 7ff6e998b313 SetDlgItemTextW 26412->26416 26413 7ff6e998b3b1 EndDialog 26592 7ff6e998b3da 26413->26592 27016 7ff6e9962520 26414->27016 27020 7ff6e9961ec4 34 API calls _handle_error 26415->27020 26417 7ff6e998b326 26416->26417 26426 7ff6e998b340 GetMessageW 26417->26426 26417->26441 26420 7ff6e998b408 GetDlgItem 26421 7ff6e998b44f SetFocus 26420->26421 26422 7ff6e998b422 SendMessageW SendMessageW 26420->26422 26427 7ff6e998b4f2 26421->26427 26428 7ff6e998b465 26421->26428 26422->26421 26425 7ff6e998b246 26430 7ff6e998b25c 26425->26430 26431 7ff6e996250c SetDlgItemTextW 26425->26431 26433 7ff6e998b35e IsDialogMessageW 26426->26433 26426->26441 26753 7ff6e9968d04 26427->26753 26434 7ff6e997aae0 48 API calls 26428->26434 26430->26441 26446 7ff6e998c363 26430->26446 26431->26430 26433->26417 26440 7ff6e998b373 TranslateMessage DispatchMessageW 26433->26440 26442 7ff6e998b46f 26434->26442 26435 7ff6e998bcc5 26443 7ff6e997aae0 48 API calls 26435->26443 26436 7ff6e9961fa0 31 API calls 26436->26441 26439 7ff6e998b52c 26763 7ff6e998ef80 26439->26763 26440->26417 26441->26397 26455 7ff6e996129c 33 API calls 26442->26455 26447 7ff6e998bcd6 SetDlgItemTextW 26443->26447 26451 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26446->26451 26450 7ff6e997aae0 48 API calls 26447->26450 26456 7ff6e998bd08 26450->26456 26457 7ff6e998c368 26451->26457 26454 7ff6e997aae0 48 API calls 26459 7ff6e998b555 26454->26459 26460 7ff6e998b498 26455->26460 26473 7ff6e996129c 33 API calls 26456->26473 26467 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26457->26467 26464 7ff6e997da98 48 API calls 26459->26464 26465 7ff6e998f0a4 24 API calls 26460->26465 26471 7ff6e998b568 26464->26471 26483 7ff6e998b4a5 26465->26483 26474 7ff6e998c36e 26467->26474 26777 7ff6e998f0a4 26471->26777 26506 7ff6e998bd31 26473->26506 26477 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26474->26477 26489 7ff6e998c374 26477->26489 26483->26457 26487 7ff6e998b4e8 26483->26487 26485 7ff6e998bdda 26491 7ff6e997aae0 48 API calls 26485->26491 26488 7ff6e998b5ec 26487->26488 27021 7ff6e998fa80 33 API calls 2 library calls 26487->27021 26498 7ff6e998b61a 26488->26498 27022 7ff6e99732a8 26488->27022 26509 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26489->26509 26500 7ff6e998bde4 26491->26500 26494 7ff6e9961fa0 31 API calls 26503 7ff6e998b586 26494->26503 26791 7ff6e9972f58 26498->26791 26521 7ff6e996129c 33 API calls 26500->26521 26503->26474 26503->26487 26506->26485 26510 7ff6e996129c 33 API calls 26506->26510 26515 7ff6e998c37a 26509->26515 26516 7ff6e998bd7f 26510->26516 26525 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26515->26525 26522 7ff6e997aae0 48 API calls 26516->26522 26519 7ff6e998b634 GetLastError 26520 7ff6e998b64c 26519->26520 26803 7ff6e9977fc4 26520->26803 26526 7ff6e998be0d 26521->26526 26528 7ff6e998bd8a 26522->26528 26524 7ff6e998b60e 27025 7ff6e9989d90 12 API calls _handle_error 26524->27025 26532 7ff6e998c380 26525->26532 26542 7ff6e996129c 33 API calls 26526->26542 26534 7ff6e9961150 33 API calls 26528->26534 26541 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26532->26541 26537 7ff6e998bda2 26534->26537 26536 7ff6e998b65e 26539 7ff6e998b674 26536->26539 26540 7ff6e998b665 GetLastError 26536->26540 26548 7ff6e9962034 33 API calls 26537->26548 26544 7ff6e998b71c 26539->26544 26547 7ff6e998b72b 26539->26547 26549 7ff6e998b68b GetTickCount 26539->26549 26540->26539 26545 7ff6e998c386 26541->26545 26546 7ff6e998be4e 26542->26546 26544->26547 26565 7ff6e998bb79 26544->26565 26550 7ff6e996255c 61 API calls 26545->26550 26561 7ff6e9961fa0 31 API calls 26546->26561 26551 7ff6e998ba50 26547->26551 26556 7ff6e9976454 34 API calls 26547->26556 26552 7ff6e998bdbe 26548->26552 26806 7ff6e9964228 26549->26806 26554 7ff6e998c3e4 26550->26554 26551->26413 27034 7ff6e996bd0c 33 API calls 26551->27034 26557 7ff6e9961fa0 31 API calls 26552->26557 26560 7ff6e998c3e8 26554->26560 26568 7ff6e998c489 GetDlgItem SetFocus 26554->26568 26593 7ff6e998c3fd 26554->26593 26562 7ff6e998b74e 26556->26562 26563 7ff6e998bdcc 26557->26563 26569 7ff6e9992320 _handle_error 8 API calls 26560->26569 26567 7ff6e998be78 26561->26567 27026 7ff6e997b914 102 API calls 26562->27026 26571 7ff6e9961fa0 31 API calls 26563->26571 26581 7ff6e997aae0 48 API calls 26565->26581 26566 7ff6e998ba75 27035 7ff6e9961150 26566->27035 26575 7ff6e9961fa0 31 API calls 26567->26575 26572 7ff6e998c4ba 26568->26572 26578 7ff6e998ca97 26569->26578 26571->26485 26588 7ff6e996129c 33 API calls 26572->26588 26573 7ff6e998b6ba 26580 7ff6e9961fa0 31 API calls 26573->26580 26577 7ff6e998be83 26575->26577 26576 7ff6e998ba8a 26583 7ff6e997aae0 48 API calls 26576->26583 26584 7ff6e9961fa0 31 API calls 26577->26584 26579 7ff6e998b768 26587 7ff6e997da98 48 API calls 26579->26587 26589 7ff6e998b6c8 26580->26589 26582 7ff6e998bba7 SetDlgItemTextW 26581->26582 26590 7ff6e9962534 26582->26590 26591 7ff6e998ba97 26583->26591 26584->26592 26585 7ff6e998c434 SendDlgItemMessageW 26594 7ff6e998c454 26585->26594 26595 7ff6e998c45d EndDialog 26585->26595 26596 7ff6e998b7aa GetCommandLineW 26587->26596 26597 7ff6e998c4cc 26588->26597 26816 7ff6e9972134 26589->26816 26598 7ff6e998bbc5 SetDlgItemTextW GetDlgItem 26590->26598 26599 7ff6e9961150 33 API calls 26591->26599 26592->26436 26593->26560 26593->26585 26594->26595 26595->26560 26600 7ff6e998b84f 26596->26600 26601 7ff6e998b869 26596->26601 27039 7ff6e99780d8 33 API calls 26597->27039 26604 7ff6e998bbf0 GetWindowLongPtrW SetWindowLongPtrW 26598->26604 26605 7ff6e998bc13 26598->26605 26606 7ff6e998baaa 26599->26606 26618 7ff6e99620b0 33 API calls 26600->26618 27027 7ff6e998ab54 33 API calls _handle_error 26601->27027 26604->26605 26832 7ff6e998ce88 26605->26832 26611 7ff6e9961fa0 31 API calls 26606->26611 26607 7ff6e998c4e0 26612 7ff6e996250c SetDlgItemTextW 26607->26612 26617 7ff6e998bab5 26611->26617 26619 7ff6e998c4f4 26612->26619 26613 7ff6e998b87a 27028 7ff6e998ab54 33 API calls _handle_error 26613->27028 26614 7ff6e998b704 26621 7ff6e997204c 100 API calls 26614->26621 26615 7ff6e998b6f5 GetLastError 26615->26614 26623 7ff6e9961fa0 31 API calls 26617->26623 26618->26601 26628 7ff6e998c526 SendDlgItemMessageW FindFirstFileW 26619->26628 26625 7ff6e998b711 26621->26625 26622 7ff6e998ce88 160 API calls 26626 7ff6e998bc3c 26622->26626 26627 7ff6e998bac3 26623->26627 26624 7ff6e998b88b 27029 7ff6e998ab54 33 API calls _handle_error 26624->27029 26630 7ff6e9961fa0 31 API calls 26625->26630 26982 7ff6e998f974 26626->26982 26638 7ff6e997aae0 48 API calls 26627->26638 26632 7ff6e998c57b 26628->26632 26724 7ff6e998ca04 26628->26724 26630->26544 26642 7ff6e997aae0 48 API calls 26632->26642 26633 7ff6e998b89c 27030 7ff6e997b9b4 102 API calls 26633->27030 26636 7ff6e998ca81 26636->26560 26637 7ff6e998ce88 160 API calls 26653 7ff6e998bc6a 26637->26653 26641 7ff6e998badb 26638->26641 26639 7ff6e998b8b3 27031 7ff6e998fbdc 33 API calls 26639->27031 26640 7ff6e998caa9 26645 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26640->26645 26654 7ff6e996129c 33 API calls 26641->26654 26647 7ff6e998c59e 26642->26647 26644 7ff6e998b8d2 CreateFileMappingW 26648 7ff6e998b911 MapViewOfFile 26644->26648 26649 7ff6e998b953 ShellExecuteExW 26644->26649 26650 7ff6e998caae 26645->26650 26646 7ff6e998bc96 26996 7ff6e9962298 GetDlgItem EnableWindow 26646->26996 26656 7ff6e996129c 33 API calls 26647->26656 27032 7ff6e9993640 26648->27032 26671 7ff6e998b974 26649->26671 26657 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26650->26657 26653->26646 26658 7ff6e998ce88 160 API calls 26653->26658 26666 7ff6e998bb04 26654->26666 26655 7ff6e998b3f5 26655->26413 26655->26435 26659 7ff6e998c5cd 26656->26659 26660 7ff6e998cab4 26657->26660 26658->26646 26661 7ff6e9961150 33 API calls 26659->26661 26664 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26660->26664 26662 7ff6e998c5e8 26661->26662 27040 7ff6e996e164 33 API calls 2 library calls 26662->27040 26663 7ff6e998b9c3 26672 7ff6e998b9ef 26663->26672 26673 7ff6e998b9dc UnmapViewOfFile CloseHandle 26663->26673 26668 7ff6e998caba 26664->26668 26665 7ff6e998bb5a 26669 7ff6e9961fa0 31 API calls 26665->26669 26666->26515 26666->26665 26676 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26668->26676 26669->26413 26670 7ff6e998c5ff 26674 7ff6e9961fa0 31 API calls 26670->26674 26671->26663 26678 7ff6e998b9b1 Sleep 26671->26678 26672->26489 26675 7ff6e998ba25 26672->26675 26673->26672 26677 7ff6e998c60c 26674->26677 26680 7ff6e9961fa0 31 API calls 26675->26680 26679 7ff6e998cac0 26676->26679 26677->26650 26682 7ff6e9961fa0 31 API calls 26677->26682 26678->26663 26678->26671 26683 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26679->26683 26681 7ff6e998ba42 26680->26681 26684 7ff6e9961fa0 31 API calls 26681->26684 26685 7ff6e998c673 26682->26685 26686 7ff6e998cac6 26683->26686 26684->26551 26687 7ff6e996250c SetDlgItemTextW 26685->26687 26689 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26686->26689 26688 7ff6e998c687 FindClose 26687->26688 26690 7ff6e998c6a3 26688->26690 26691 7ff6e998c797 SendDlgItemMessageW 26688->26691 26692 7ff6e998cacc 26689->26692 27041 7ff6e998a2cc 10 API calls _handle_error 26690->27041 26693 7ff6e998c7cb 26691->26693 26696 7ff6e997aae0 48 API calls 26693->26696 26695 7ff6e998c6c6 26697 7ff6e997aae0 48 API calls 26695->26697 26698 7ff6e998c7d8 26696->26698 26699 7ff6e998c6cf 26697->26699 26701 7ff6e996129c 33 API calls 26698->26701 26700 7ff6e997da98 48 API calls 26699->26700 26704 7ff6e998c6ec BuildCatchObjectHelperInternal 26700->26704 26703 7ff6e998c807 26701->26703 26702 7ff6e9961fa0 31 API calls 26705 7ff6e998c783 26702->26705 26706 7ff6e9961150 33 API calls 26703->26706 26704->26660 26704->26702 26707 7ff6e996250c SetDlgItemTextW 26705->26707 26708 7ff6e998c822 26706->26708 26707->26691 27042 7ff6e996e164 33 API calls 2 library calls 26708->27042 26710 7ff6e998c839 26711 7ff6e9961fa0 31 API calls 26710->26711 26712 7ff6e998c845 BuildCatchObjectHelperInternal 26711->26712 26713 7ff6e9961fa0 31 API calls 26712->26713 26714 7ff6e998c87f 26713->26714 26715 7ff6e9961fa0 31 API calls 26714->26715 26716 7ff6e998c88c 26715->26716 26716->26668 26717 7ff6e9961fa0 31 API calls 26716->26717 26718 7ff6e998c8f3 26717->26718 26719 7ff6e996250c SetDlgItemTextW 26718->26719 26720 7ff6e998c907 26719->26720 26720->26724 27043 7ff6e998a2cc 10 API calls _handle_error 26720->27043 26722 7ff6e998c932 26723 7ff6e997aae0 48 API calls 26722->26723 26725 7ff6e998c93c 26723->26725 26724->26560 26724->26636 26724->26640 26724->26686 26726 7ff6e997da98 48 API calls 26725->26726 26728 7ff6e998c959 BuildCatchObjectHelperInternal 26726->26728 26727 7ff6e9961fa0 31 API calls 26729 7ff6e998c9f0 26727->26729 26728->26679 26728->26727 26730 7ff6e996250c SetDlgItemTextW 26729->26730 26730->26724 26732 7ff6e996256a 26731->26732 26733 7ff6e99625d0 26731->26733 26732->26733 27044 7ff6e997a4ac 26732->27044 26733->26390 26735 7ff6e996258f 26735->26733 26736 7ff6e99625a4 GetDlgItem 26735->26736 26736->26733 26737 7ff6e99625b7 26736->26737 26737->26733 26738 7ff6e99625be SetWindowTextW 26737->26738 26738->26733 26740 7ff6e99622fc 26739->26740 26741 7ff6e9962334 26739->26741 26743 7ff6e996129c 33 API calls 26740->26743 27093 7ff6e99623f8 GetWindowTextLengthW 26741->27093 26744 7ff6e996232a BuildCatchObjectHelperInternal 26743->26744 26745 7ff6e9961fa0 31 API calls 26744->26745 26748 7ff6e9962389 26744->26748 26745->26748 26746 7ff6e99623c8 26747 7ff6e9992320 _handle_error 8 API calls 26746->26747 26749 7ff6e99623dd 26747->26749 26748->26746 26750 7ff6e99623f0 26748->26750 26749->26413 26749->26420 26749->26655 26751 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26750->26751 26752 7ff6e99623f5 26751->26752 26754 7ff6e9968d34 26753->26754 26761 7ff6e9968de8 26753->26761 26755 7ff6e9968d42 BuildCatchObjectHelperInternal 26754->26755 26758 7ff6e9968de3 26754->26758 26760 7ff6e9968d91 26754->26760 26755->26439 27105 7ff6e9961f80 33 API calls 3 library calls 26758->27105 26760->26755 26762 7ff6e99921d0 33 API calls 26760->26762 27106 7ff6e9962004 33 API calls std::_Xinvalid_argument 26761->27106 26762->26755 26767 7ff6e998efb0 26763->26767 26764 7ff6e998efd7 26765 7ff6e9992320 _handle_error 8 API calls 26764->26765 26766 7ff6e998b537 26765->26766 26766->26454 26767->26764 27107 7ff6e996bd0c 33 API calls 26767->27107 26769 7ff6e998f02a 26770 7ff6e9961150 33 API calls 26769->26770 26771 7ff6e998f03f 26770->26771 26772 7ff6e9961fa0 31 API calls 26771->26772 26775 7ff6e998f04f BuildCatchObjectHelperInternal 26771->26775 26772->26775 26773 7ff6e9961fa0 31 API calls 26774 7ff6e998f076 26773->26774 26776 7ff6e9961fa0 31 API calls 26774->26776 26775->26773 26776->26764 27108 7ff6e998ae1c PeekMessageW 26777->27108 26780 7ff6e998f143 SendMessageW SendMessageW 26782 7ff6e998f1a4 SendMessageW 26780->26782 26783 7ff6e998f189 26780->26783 26781 7ff6e998f0f5 26784 7ff6e998f101 ShowWindow SendMessageW SendMessageW 26781->26784 26785 7ff6e998f1c3 26782->26785 26786 7ff6e998f1c6 SendMessageW SendMessageW 26782->26786 26783->26782 26784->26780 26785->26786 26787 7ff6e998f1f3 SendMessageW 26786->26787 26788 7ff6e998f218 SendMessageW 26786->26788 26787->26788 26789 7ff6e9992320 _handle_error 8 API calls 26788->26789 26790 7ff6e998b578 26789->26790 26790->26494 26792 7ff6e997309d 26791->26792 26799 7ff6e9972f8e 26791->26799 26793 7ff6e9992320 _handle_error 8 API calls 26792->26793 26794 7ff6e99730b3 26793->26794 26794->26519 26794->26520 26795 7ff6e9973077 26795->26792 26796 7ff6e9973684 56 API calls 26795->26796 26796->26792 26797 7ff6e996129c 33 API calls 26797->26799 26799->26795 26799->26797 26800 7ff6e99730c8 26799->26800 27113 7ff6e9973684 26799->27113 26801 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26800->26801 26802 7ff6e99730cd 26801->26802 26804 7ff6e9977fd2 SetCurrentDirectoryW 26803->26804 26805 7ff6e9977fcf 26803->26805 26804->26536 26805->26804 26807 7ff6e9964255 26806->26807 26808 7ff6e996426a 26807->26808 26809 7ff6e996129c 33 API calls 26807->26809 26810 7ff6e9992320 _handle_error 8 API calls 26808->26810 26809->26808 26811 7ff6e99642a1 26810->26811 26812 7ff6e9963c84 26811->26812 26813 7ff6e9963cab 26812->26813 27147 7ff6e996710c 26813->27147 26815 7ff6e9963cbb BuildCatchObjectHelperInternal 26815->26573 26819 7ff6e997216a 26816->26819 26817 7ff6e997219e 26820 7ff6e9976a0c 49 API calls 26817->26820 26828 7ff6e997227f 26817->26828 26818 7ff6e99721b1 CreateFileW 26818->26817 26819->26817 26819->26818 26822 7ff6e9972209 26820->26822 26821 7ff6e99722af 26823 7ff6e9992320 _handle_error 8 API calls 26821->26823 26824 7ff6e997220d CreateFileW 26822->26824 26825 7ff6e9972246 26822->26825 26827 7ff6e99722c4 26823->26827 26824->26825 26825->26828 26829 7ff6e99722d8 26825->26829 26826 7ff6e99620b0 33 API calls 26826->26821 26827->26614 26827->26615 26828->26821 26828->26826 26830 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26829->26830 26831 7ff6e99722dd 26830->26831 27159 7ff6e998aa08 26832->27159 26834 7ff6e998d1ee 26835 7ff6e9961fa0 31 API calls 26834->26835 26836 7ff6e998d1f7 26835->26836 26837 7ff6e9992320 _handle_error 8 API calls 26836->26837 26839 7ff6e998bc2b 26837->26839 26838 7ff6e997d22c 33 API calls 26981 7ff6e998cf03 BuildCatchObjectHelperInternal 26838->26981 26839->26622 26840 7ff6e998eefa 27284 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26840->27284 26843 7ff6e998ef00 27285 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26843->27285 26846 7ff6e998eeee 26848 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26846->26848 26847 7ff6e998ef06 26849 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26847->26849 26850 7ff6e998eef4 26848->26850 26851 7ff6e998ef0c 26849->26851 27283 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26850->27283 26854 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26851->26854 26855 7ff6e998ef12 26854->26855 26860 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26855->26860 26856 7ff6e998ee4a 26857 7ff6e998eed2 26856->26857 26861 7ff6e99620b0 33 API calls 26856->26861 27281 7ff6e9961f80 33 API calls 3 library calls 26857->27281 26858 7ff6e998eee8 27282 7ff6e9962004 33 API calls std::_Xinvalid_argument 26858->27282 26859 7ff6e99613a4 33 API calls 26863 7ff6e998dc3a GetTempPathW 26859->26863 26864 7ff6e998ef18 26860->26864 26862 7ff6e998ee77 26861->26862 27280 7ff6e998abe8 33 API calls 3 library calls 26862->27280 26863->26981 26871 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26864->26871 26865 7ff6e99762dc 35 API calls 26865->26981 26869 7ff6e998ee8d 26879 7ff6e9961fa0 31 API calls 26869->26879 26882 7ff6e998eea4 BuildCatchObjectHelperInternal 26869->26882 26870 7ff6e9962520 SetWindowTextW 26870->26981 26875 7ff6e998ef1e 26871->26875 26873 7ff6e999bb8c 43 API calls 26873->26981 26884 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26875->26884 26877 7ff6e998e7f3 26877->26857 26877->26858 26881 7ff6e99921d0 33 API calls 26877->26881 26891 7ff6e998e83b BuildCatchObjectHelperInternal 26877->26891 26878 7ff6e9968d04 33 API calls 26878->26981 26879->26882 26880 7ff6e9961fa0 31 API calls 26880->26857 26881->26891 26882->26880 26883 7ff6e9975aa8 33 API calls 26883->26981 26885 7ff6e998ef24 26884->26885 26890 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26885->26890 26887 7ff6e998aa08 33 API calls 26887->26981 26888 7ff6e998ef6c 27288 7ff6e9962004 33 API calls std::_Xinvalid_argument 26888->27288 26889 7ff6e998ef78 27290 7ff6e9962004 33 API calls std::_Xinvalid_argument 26889->27290 26894 7ff6e998ef2a 26890->26894 26899 7ff6e99620b0 33 API calls 26891->26899 26941 7ff6e998eb8f 26891->26941 26893 7ff6e9961fa0 31 API calls 26893->26856 26905 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26894->26905 26895 7ff6e998ef72 27289 7ff6e9961f80 33 API calls 3 library calls 26895->27289 26897 7ff6e996129c 33 API calls 26897->26981 26898 7ff6e998ef66 27287 7ff6e9961f80 33 API calls 3 library calls 26898->27287 26906 7ff6e998e963 26899->26906 26902 7ff6e998ed40 26902->26889 26902->26895 26918 7ff6e998ed3b BuildCatchObjectHelperInternal 26902->26918 26923 7ff6e99921d0 33 API calls 26902->26923 26904 7ff6e998ec2a 26904->26888 26904->26898 26912 7ff6e998ec72 BuildCatchObjectHelperInternal 26904->26912 26904->26918 26920 7ff6e99921d0 33 API calls 26904->26920 26910 7ff6e998ef30 26905->26910 26913 7ff6e998ef60 26906->26913 26919 7ff6e996129c 33 API calls 26906->26919 26909 7ff6e996e164 33 API calls 26909->26981 26924 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26910->26924 26911 7ff6e9973d34 51 API calls 26911->26981 27202 7ff6e998f4e0 26912->27202 27286 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 26913->27286 26915 7ff6e998d5e9 GetDlgItem 26921 7ff6e9962520 SetWindowTextW 26915->26921 26918->26893 26925 7ff6e998e9a6 26919->26925 26920->26912 26926 7ff6e998d608 SendMessageW 26921->26926 26923->26918 26929 7ff6e998ef36 26924->26929 27276 7ff6e997d22c 26925->27276 26926->26981 26927 7ff6e99732bc 51 API calls 26927->26981 26928 7ff6e9962674 31 API calls 26928->26981 26934 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26929->26934 26932 7ff6e997dc2c 33 API calls 26932->26981 26933 7ff6e9975b60 53 API calls 26933->26981 26940 7ff6e998ef3c 26934->26940 26935 7ff6e998d63c SendMessageW 26935->26981 26939 7ff6e9973f30 54 API calls 26939->26981 26942 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26940->26942 26941->26902 26941->26904 26945 7ff6e998ef54 26941->26945 26946 7ff6e998ef5a 26941->26946 26948 7ff6e998ef42 26942->26948 26944 7ff6e996129c 33 API calls 26971 7ff6e998e9d1 26944->26971 26947 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26945->26947 26950 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26946->26950 26947->26946 26953 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26948->26953 26950->26913 26951 7ff6e9964228 33 API calls 26951->26981 26952 7ff6e9962034 33 API calls 26952->26981 26956 7ff6e998ef48 26953->26956 26954 7ff6e9975820 33 API calls 26954->26981 26955 7ff6e99732a8 51 API calls 26955->26981 26957 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26956->26957 26959 7ff6e998ef4e 26957->26959 26958 7ff6e996250c SetDlgItemTextW 26958->26981 26963 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 26959->26963 26961 7ff6e9977df4 47 API calls 26961->26981 26962 7ff6e9961150 33 API calls 26962->26981 26963->26945 26965 7ff6e99899c8 31 API calls 26965->26981 26966 7ff6e9961fa0 31 API calls 26966->26971 26967 7ff6e9961fa0 31 API calls 26967->26981 26969 7ff6e99813c4 CompareStringW 26969->26971 26971->26941 26971->26944 26971->26956 26971->26959 26971->26966 26971->26969 26973 7ff6e997d22c 33 API calls 26971->26973 26972 7ff6e998df99 EndDialog 26972->26981 26973->26971 26974 7ff6e998db21 MoveFileW 26975 7ff6e998db70 26974->26975 26976 7ff6e998db55 MoveFileExW 26974->26976 26977 7ff6e9961fa0 31 API calls 26975->26977 26975->26981 26976->26975 26977->26975 26978 7ff6e9972f58 56 API calls 26978->26981 26979 7ff6e99620b0 33 API calls 26979->26981 26981->26834 26981->26838 26981->26840 26981->26843 26981->26846 26981->26847 26981->26850 26981->26851 26981->26855 26981->26856 26981->26859 26981->26864 26981->26865 26981->26870 26981->26873 26981->26875 26981->26877 26981->26878 26981->26883 26981->26885 26981->26887 26981->26894 26981->26897 26981->26909 26981->26910 26981->26911 26981->26927 26981->26928 26981->26929 26981->26932 26981->26933 26981->26935 26981->26939 26981->26940 26981->26948 26981->26951 26981->26952 26981->26954 26981->26955 26981->26958 26981->26961 26981->26962 26981->26965 26981->26967 26981->26972 26981->26974 26981->26978 26981->26979 27163 7ff6e99813c4 CompareStringW 26981->27163 27164 7ff6e998a440 26981->27164 27240 7ff6e997cfa4 35 API calls _invalid_parameter_noinfo_noreturn 26981->27240 27241 7ff6e99895b4 33 API calls Concurrency::cancel_current_task 26981->27241 27242 7ff6e9990684 31 API calls _invalid_parameter_noinfo_noreturn 26981->27242 27243 7ff6e996df4c 47 API calls BuildCatchObjectHelperInternal 26981->27243 27244 7ff6e998a834 33 API calls _invalid_parameter_noinfo_noreturn 26981->27244 27245 7ff6e9989518 33 API calls 26981->27245 27246 7ff6e998abe8 33 API calls 3 library calls 26981->27246 27247 7ff6e9977368 33 API calls 2 library calls 26981->27247 27248 7ff6e9974088 33 API calls 26981->27248 27249 7ff6e99765b0 33 API calls 3 library calls 26981->27249 27250 7ff6e99772cc 26981->27250 27254 7ff6e9961744 33 API calls 4 library calls 26981->27254 27255 7ff6e99731bc 26981->27255 27269 7ff6e9973ea0 FindClose 26981->27269 27270 7ff6e99813f4 CompareStringW 26981->27270 27271 7ff6e9989cd0 47 API calls 26981->27271 27272 7ff6e99887d8 51 API calls 3 library calls 26981->27272 27273 7ff6e998ab54 33 API calls _handle_error 26981->27273 27274 7ff6e9975b08 CompareStringW 26981->27274 27275 7ff6e9977eb0 47 API calls 26981->27275 26983 7ff6e998f9a3 26982->26983 26984 7ff6e99620b0 33 API calls 26983->26984 26986 7ff6e998f9b9 26984->26986 26985 7ff6e998f9ee 27303 7ff6e996e34c 26985->27303 26986->26985 26987 7ff6e99620b0 33 API calls 26986->26987 26987->26985 26989 7ff6e998fa4b 27323 7ff6e996e7a8 26989->27323 26993 7ff6e998fa61 26994 7ff6e9992320 _handle_error 8 API calls 26993->26994 26995 7ff6e998bc52 26994->26995 26995->26637 26998 7ff6e998849c 4 API calls 26997->26998 26999 7ff6e998f3bf 26998->26999 27000 7ff6e998f4b7 26999->27000 27001 7ff6e998f3c7 GetWindow 26999->27001 27002 7ff6e9992320 _handle_error 8 API calls 27000->27002 27006 7ff6e998f3e2 27001->27006 27003 7ff6e998be9b 27002->27003 27003->26398 27003->26399 27004 7ff6e998f3ee GetClassNameW 28376 7ff6e99813c4 CompareStringW 27004->28376 27006->27000 27006->27004 27007 7ff6e998f496 GetWindow 27006->27007 27008 7ff6e998f417 GetWindowLongPtrW 27006->27008 27007->27000 27007->27006 27008->27007 27009 7ff6e998f429 SendMessageW 27008->27009 27009->27007 27010 7ff6e998f445 GetObjectW 27009->27010 28377 7ff6e9988504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27010->28377 27012 7ff6e99884cc 4 API calls 27013 7ff6e998f461 27012->27013 27013->27012 28378 7ff6e9988df4 16 API calls _handle_error 27013->28378 27015 7ff6e998f479 SendMessageW DeleteObject 27015->27007 27017 7ff6e996252a SetWindowTextW 27016->27017 27018 7ff6e9962527 27016->27018 27019 7ff6e99ce2e0 27017->27019 27018->27017 27020->26425 27021->26488 27023 7ff6e99732bc 51 API calls 27022->27023 27024 7ff6e99732b1 27023->27024 27024->26498 27024->26524 27025->26498 27026->26579 27027->26613 27028->26624 27029->26633 27030->26639 27031->26644 27033 7ff6e9993620 27032->27033 27033->26649 27034->26566 27036 7ff6e9961177 27035->27036 27037 7ff6e9962034 33 API calls 27036->27037 27038 7ff6e9961185 BuildCatchObjectHelperInternal 27037->27038 27038->26576 27039->26607 27040->26670 27041->26695 27042->26710 27043->26722 27045 7ff6e9973e28 swprintf 46 API calls 27044->27045 27046 7ff6e997a509 27045->27046 27047 7ff6e9980f68 WideCharToMultiByte 27046->27047 27049 7ff6e997a519 27047->27049 27048 7ff6e997a589 27069 7ff6e9979408 27048->27069 27049->27048 27063 7ff6e9979800 31 API calls 27049->27063 27066 7ff6e997a56a SetDlgItemTextW 27049->27066 27052 7ff6e997a603 27054 7ff6e997a60c GetWindowLongPtrW 27052->27054 27055 7ff6e997a6c2 27052->27055 27053 7ff6e997a6f2 GetSystemMetrics GetWindow 27056 7ff6e997a821 27053->27056 27067 7ff6e997a71d 27053->27067 27058 7ff6e99ce2c0 27054->27058 27084 7ff6e99795a8 27055->27084 27057 7ff6e9992320 _handle_error 8 API calls 27056->27057 27060 7ff6e997a830 27057->27060 27061 7ff6e997a6aa GetWindowRect 27058->27061 27060->26735 27061->27055 27063->27049 27064 7ff6e997a6e5 SetWindowTextW 27064->27053 27065 7ff6e997a73e GetWindowRect 27065->27067 27066->27049 27067->27056 27067->27065 27068 7ff6e997a800 GetWindow 27067->27068 27068->27056 27068->27067 27070 7ff6e99795a8 47 API calls 27069->27070 27073 7ff6e997944f 27070->27073 27071 7ff6e9992320 _handle_error 8 API calls 27072 7ff6e997958e GetWindowRect GetClientRect 27071->27072 27072->27052 27072->27053 27074 7ff6e996129c 33 API calls 27073->27074 27083 7ff6e997955a 27073->27083 27075 7ff6e997949c 27074->27075 27076 7ff6e99795a1 27075->27076 27078 7ff6e996129c 33 API calls 27075->27078 27077 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27076->27077 27079 7ff6e99795a7 27077->27079 27080 7ff6e9979514 27078->27080 27081 7ff6e997959c 27080->27081 27080->27083 27082 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27081->27082 27082->27076 27083->27071 27085 7ff6e9973e28 swprintf 46 API calls 27084->27085 27086 7ff6e99795eb 27085->27086 27087 7ff6e9980f68 WideCharToMultiByte 27086->27087 27088 7ff6e9979603 27087->27088 27089 7ff6e9979800 31 API calls 27088->27089 27090 7ff6e997961b 27089->27090 27091 7ff6e9992320 _handle_error 8 API calls 27090->27091 27092 7ff6e997962b 27091->27092 27092->27053 27092->27064 27094 7ff6e99613a4 33 API calls 27093->27094 27095 7ff6e9962462 GetWindowTextW 27094->27095 27096 7ff6e9962494 27095->27096 27097 7ff6e996129c 33 API calls 27096->27097 27098 7ff6e99624a2 27097->27098 27100 7ff6e9962505 27098->27100 27101 7ff6e99624dd 27098->27101 27099 7ff6e9992320 _handle_error 8 API calls 27102 7ff6e99624f3 27099->27102 27103 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27100->27103 27101->27099 27102->26744 27104 7ff6e996250a 27103->27104 27105->26761 27107->26769 27109 7ff6e998ae80 GetDlgItem 27108->27109 27110 7ff6e998ae3c GetMessageW 27108->27110 27109->26780 27109->26781 27111 7ff6e998ae6a TranslateMessage DispatchMessageW 27110->27111 27112 7ff6e998ae5b IsDialogMessageW 27110->27112 27111->27109 27112->27109 27112->27111 27115 7ff6e99736b3 27113->27115 27114 7ff6e99736e0 27117 7ff6e99732bc 51 API calls 27114->27117 27115->27114 27116 7ff6e99736cc CreateDirectoryW 27115->27116 27116->27114 27120 7ff6e997377d 27116->27120 27118 7ff6e99736ee 27117->27118 27119 7ff6e9973791 GetLastError 27118->27119 27122 7ff6e9976a0c 49 API calls 27118->27122 27121 7ff6e997378d 27119->27121 27120->27121 27133 7ff6e9973d34 27120->27133 27125 7ff6e9992320 _handle_error 8 API calls 27121->27125 27124 7ff6e997371c 27122->27124 27126 7ff6e997373b 27124->27126 27127 7ff6e9973720 CreateDirectoryW 27124->27127 27128 7ff6e99737b9 27125->27128 27129 7ff6e9973774 27126->27129 27130 7ff6e99737ce 27126->27130 27127->27126 27128->26799 27129->27119 27129->27120 27131 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27130->27131 27132 7ff6e99737d3 27131->27132 27134 7ff6e9973d5b 27133->27134 27135 7ff6e9973d5e SetFileAttributesW 27133->27135 27134->27135 27136 7ff6e9973d74 27135->27136 27143 7ff6e9973df5 27135->27143 27137 7ff6e9976a0c 49 API calls 27136->27137 27140 7ff6e9973d99 27137->27140 27138 7ff6e9992320 _handle_error 8 API calls 27139 7ff6e9973e0a 27138->27139 27139->27121 27141 7ff6e9973dbc 27140->27141 27142 7ff6e9973d9d SetFileAttributesW 27140->27142 27141->27143 27144 7ff6e9973e1a 27141->27144 27142->27141 27143->27138 27145 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27144->27145 27146 7ff6e9973e1f 27145->27146 27148 7ff6e996713b 27147->27148 27149 7ff6e9967206 27147->27149 27155 7ff6e996714b BuildCatchObjectHelperInternal 27148->27155 27156 7ff6e9963f48 33 API calls 2 library calls 27148->27156 27157 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 27149->27157 27152 7ff6e9967273 27152->26815 27153 7ff6e996720b 27153->27152 27158 7ff6e996889c 8 API calls BuildCatchObjectHelperInternal 27153->27158 27155->26815 27156->27155 27157->27153 27158->27153 27160 7ff6e998aa36 27159->27160 27161 7ff6e998aa2f 27159->27161 27160->27161 27291 7ff6e9961744 33 API calls 4 library calls 27160->27291 27161->26981 27163->26981 27165 7ff6e998a47f 27164->27165 27187 7ff6e998a706 27164->27187 27292 7ff6e998cdf8 33 API calls 27165->27292 27167 7ff6e9992320 _handle_error 8 API calls 27169 7ff6e998a717 27167->27169 27168 7ff6e998a49e 27170 7ff6e996129c 33 API calls 27168->27170 27169->26915 27171 7ff6e998a4de 27170->27171 27172 7ff6e996129c 33 API calls 27171->27172 27173 7ff6e998a517 27172->27173 27174 7ff6e996129c 33 API calls 27173->27174 27175 7ff6e998a54a 27174->27175 27293 7ff6e998a834 33 API calls _invalid_parameter_noinfo_noreturn 27175->27293 27177 7ff6e998a734 27179 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27177->27179 27178 7ff6e998a573 27178->27177 27180 7ff6e998a73a 27178->27180 27181 7ff6e998a740 27178->27181 27183 7ff6e99620b0 33 API calls 27178->27183 27186 7ff6e998a685 27178->27186 27179->27180 27182 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27180->27182 27184 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27181->27184 27182->27181 27183->27186 27185 7ff6e998a746 27184->27185 27188 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27185->27188 27186->27185 27186->27187 27189 7ff6e998a72f 27186->27189 27187->27167 27190 7ff6e998a74c 27188->27190 27191 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27189->27191 27192 7ff6e996255c 61 API calls 27190->27192 27191->27177 27193 7ff6e998a795 27192->27193 27194 7ff6e998a7b1 27193->27194 27195 7ff6e998a801 SetDlgItemTextW 27193->27195 27199 7ff6e998a7a1 27193->27199 27196 7ff6e9992320 _handle_error 8 API calls 27194->27196 27195->27194 27197 7ff6e998a827 27196->27197 27197->26915 27198 7ff6e998a7ad 27198->27194 27200 7ff6e998a7b7 EndDialog 27198->27200 27199->27194 27199->27198 27294 7ff6e997bb00 102 API calls 27199->27294 27200->27194 27207 7ff6e998f529 __scrt_get_show_window_mode 27202->27207 27218 7ff6e998f87d 27202->27218 27203 7ff6e9961fa0 31 API calls 27204 7ff6e998f89c 27203->27204 27205 7ff6e9992320 _handle_error 8 API calls 27204->27205 27206 7ff6e998f8a8 27205->27206 27206->26918 27208 7ff6e998f684 27207->27208 27295 7ff6e99813c4 CompareStringW 27207->27295 27210 7ff6e996129c 33 API calls 27208->27210 27211 7ff6e998f6c0 27210->27211 27212 7ff6e99732a8 51 API calls 27211->27212 27213 7ff6e998f6ca 27212->27213 27214 7ff6e9961fa0 31 API calls 27213->27214 27215 7ff6e998f6d5 27214->27215 27216 7ff6e998f742 ShellExecuteExW 27215->27216 27220 7ff6e996129c 33 API calls 27215->27220 27217 7ff6e998f846 27216->27217 27222 7ff6e998f755 27216->27222 27217->27218 27224 7ff6e998f8fb 27217->27224 27218->27203 27219 7ff6e998f78e 27297 7ff6e998fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27219->27297 27223 7ff6e998f717 27220->27223 27221 7ff6e998f7e3 CloseHandle 27225 7ff6e998f7f2 27221->27225 27226 7ff6e998f801 27221->27226 27222->27219 27222->27221 27231 7ff6e998f781 ShowWindow 27222->27231 27296 7ff6e9975b60 53 API calls 2 library calls 27223->27296 27228 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27224->27228 27298 7ff6e99813c4 CompareStringW 27225->27298 27226->27217 27236 7ff6e998f837 ShowWindow 27226->27236 27229 7ff6e998f900 27228->27229 27231->27219 27233 7ff6e998f725 27235 7ff6e9961fa0 31 API calls 27233->27235 27234 7ff6e998f7a6 27234->27221 27238 7ff6e998f7b4 GetExitCodeProcess 27234->27238 27237 7ff6e998f72f 27235->27237 27236->27217 27237->27216 27238->27221 27239 7ff6e998f7c7 27238->27239 27239->27221 27240->26981 27241->26981 27242->26981 27243->26981 27244->26981 27245->26981 27246->26981 27247->26981 27248->26981 27249->26981 27251 7ff6e99772ea 27250->27251 27299 7ff6e996b3a8 27251->27299 27254->26981 27256 7ff6e99731e7 DeleteFileW 27255->27256 27257 7ff6e99731e4 27255->27257 27258 7ff6e99731fd 27256->27258 27259 7ff6e997327c 27256->27259 27257->27256 27261 7ff6e9976a0c 49 API calls 27258->27261 27260 7ff6e9992320 _handle_error 8 API calls 27259->27260 27262 7ff6e9973291 27260->27262 27263 7ff6e9973222 27261->27263 27262->26981 27264 7ff6e9973226 DeleteFileW 27263->27264 27265 7ff6e9973243 27263->27265 27264->27265 27265->27259 27266 7ff6e99732a1 27265->27266 27267 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27266->27267 27268 7ff6e99732a6 27267->27268 27270->26981 27271->26981 27272->26981 27273->26981 27274->26981 27275->26981 27279 7ff6e997d25e 27276->27279 27277 7ff6e997d292 27277->26971 27278 7ff6e9961744 33 API calls 27278->27279 27279->27277 27279->27278 27280->26869 27281->26858 27283->26840 27284->26843 27285->26847 27286->26898 27287->26888 27289->26889 27291->27160 27292->27168 27293->27178 27294->27198 27295->27208 27296->27233 27297->27234 27298->27226 27301 7ff6e996b3f2 __scrt_get_show_window_mode 27299->27301 27300 7ff6e9992320 _handle_error 8 API calls 27302 7ff6e996b4b6 27300->27302 27301->27300 27302->26981 27359 7ff6e99786ec 27303->27359 27305 7ff6e996e3c4 27365 7ff6e996e600 27305->27365 27307 7ff6e996e4d4 27309 7ff6e99921d0 33 API calls 27307->27309 27308 7ff6e996e454 27308->27307 27310 7ff6e996e549 27308->27310 27313 7ff6e996e4f0 27309->27313 27311 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27310->27311 27319 7ff6e996e54e 27311->27319 27371 7ff6e9983148 102 API calls 27313->27371 27314 7ff6e996e51d 27315 7ff6e9992320 _handle_error 8 API calls 27314->27315 27317 7ff6e996e52d 27315->27317 27316 7ff6e99718c2 27318 7ff6e997190d 27316->27318 27320 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27316->27320 27317->26989 27318->26989 27319->27316 27319->27318 27321 7ff6e9961fa0 31 API calls 27319->27321 27322 7ff6e997193b 27320->27322 27321->27319 27324 7ff6e996e7ea 27323->27324 27325 7ff6e996e864 27324->27325 27328 7ff6e996e8a1 27324->27328 27372 7ff6e9973ec8 27324->27372 27327 7ff6e996e993 27325->27327 27325->27328 27329 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27327->27329 27335 7ff6e996e900 27328->27335 27379 7ff6e996f578 27328->27379 27332 7ff6e996e998 27329->27332 27330 7ff6e996e955 27331 7ff6e9992320 _handle_error 8 API calls 27330->27331 27334 7ff6e996e97e 27331->27334 27337 7ff6e996e578 27334->27337 27335->27330 27415 7ff6e99628a4 82 API calls 2 library calls 27335->27415 28362 7ff6e99715d8 27337->28362 27340 7ff6e996e59e 27341 7ff6e9961fa0 31 API calls 27340->27341 27343 7ff6e996e5b7 27341->27343 27342 7ff6e9981870 108 API calls 27342->27340 27344 7ff6e9961fa0 31 API calls 27343->27344 27345 7ff6e996e5c3 27344->27345 27346 7ff6e9961fa0 31 API calls 27345->27346 27347 7ff6e996e5cf 27346->27347 27348 7ff6e997878c 108 API calls 27347->27348 27349 7ff6e996e5db 27348->27349 27350 7ff6e9961fa0 31 API calls 27349->27350 27351 7ff6e996e5e4 27350->27351 27352 7ff6e9961fa0 31 API calls 27351->27352 27355 7ff6e996e5ed 27352->27355 27353 7ff6e99718c2 27354 7ff6e997190d 27353->27354 27356 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27353->27356 27354->26993 27355->27353 27355->27354 27357 7ff6e9961fa0 31 API calls 27355->27357 27358 7ff6e997193b 27356->27358 27357->27355 27360 7ff6e997870a 27359->27360 27361 7ff6e99921d0 33 API calls 27360->27361 27362 7ff6e997872f 27361->27362 27363 7ff6e99921d0 33 API calls 27362->27363 27364 7ff6e9978759 27363->27364 27364->27305 27366 7ff6e996e62c BuildCatchObjectHelperInternal 27365->27366 27367 7ff6e996e627 27365->27367 27369 7ff6e996e668 BuildCatchObjectHelperInternal 27366->27369 27370 7ff6e9961fa0 31 API calls 27366->27370 27368 7ff6e9961fa0 31 API calls 27367->27368 27368->27366 27369->27308 27370->27369 27371->27314 27373 7ff6e99772cc 8 API calls 27372->27373 27374 7ff6e9973ee1 27373->27374 27375 7ff6e9973f0f 27374->27375 27416 7ff6e99740bc 27374->27416 27375->27324 27378 7ff6e9973efa FindClose 27378->27375 27380 7ff6e996f598 _snwprintf 27379->27380 27442 7ff6e9962950 27380->27442 27383 7ff6e996f5cc 27387 7ff6e996f5fc 27383->27387 27457 7ff6e99633e4 27383->27457 27386 7ff6e996f5f8 27386->27387 27489 7ff6e9963ad8 27386->27489 27708 7ff6e9962c54 27387->27708 27394 7ff6e996f7cb 27499 7ff6e996f8a4 27394->27499 27396 7ff6e9968d04 33 API calls 27397 7ff6e996f662 27396->27397 27728 7ff6e9977918 48 API calls 2 library calls 27397->27728 27399 7ff6e996f677 27400 7ff6e9973ec8 55 API calls 27399->27400 27405 7ff6e996f6ad 27400->27405 27402 7ff6e996f842 27402->27387 27520 7ff6e99669f8 27402->27520 27531 7ff6e996f930 27402->27531 27408 7ff6e996f74d 27405->27408 27409 7ff6e996f89a 27405->27409 27412 7ff6e9973ec8 55 API calls 27405->27412 27729 7ff6e9977918 48 API calls 2 library calls 27405->27729 27408->27394 27408->27409 27411 7ff6e996f895 27408->27411 27410 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27409->27410 27413 7ff6e996f8a0 27410->27413 27414 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27411->27414 27412->27405 27414->27409 27415->27330 27417 7ff6e99740f9 FindFirstFileW 27416->27417 27418 7ff6e99741d2 FindNextFileW 27416->27418 27421 7ff6e997411e 27417->27421 27423 7ff6e99741f3 27417->27423 27420 7ff6e99741e1 GetLastError 27418->27420 27418->27423 27441 7ff6e99741c0 27420->27441 27422 7ff6e9976a0c 49 API calls 27421->27422 27426 7ff6e9974144 27422->27426 27424 7ff6e9974211 27423->27424 27427 7ff6e99620b0 33 API calls 27423->27427 27429 7ff6e996129c 33 API calls 27424->27429 27425 7ff6e9992320 _handle_error 8 API calls 27428 7ff6e9973ef4 27425->27428 27430 7ff6e9974148 FindFirstFileW 27426->27430 27431 7ff6e9974167 27426->27431 27427->27424 27428->27375 27428->27378 27432 7ff6e997423b 27429->27432 27430->27431 27431->27423 27434 7ff6e99741af GetLastError 27431->27434 27435 7ff6e9974314 27431->27435 27433 7ff6e9978090 47 API calls 27432->27433 27436 7ff6e9974249 27433->27436 27434->27441 27437 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27435->27437 27439 7ff6e997430f 27436->27439 27436->27441 27438 7ff6e997431a 27437->27438 27440 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27439->27440 27440->27435 27441->27425 27443 7ff6e996296c 27442->27443 27444 7ff6e99786ec 33 API calls 27443->27444 27445 7ff6e996298d 27444->27445 27446 7ff6e99921d0 33 API calls 27445->27446 27451 7ff6e9962ac2 27445->27451 27448 7ff6e9962ab0 27446->27448 27450 7ff6e99691c8 35 API calls 27448->27450 27448->27451 27450->27451 27730 7ff6e9974d04 27451->27730 27452 7ff6e9972ca8 27456 7ff6e99724c0 54 API calls 27452->27456 27453 7ff6e9972cc1 27454 7ff6e9972cc5 27453->27454 27744 7ff6e996b7e8 99 API calls 2 library calls 27453->27744 27454->27383 27456->27453 27486 7ff6e99728d0 104 API calls 27457->27486 27458 7ff6e9963674 27745 7ff6e99628a4 82 API calls 2 library calls 27458->27745 27459 7ff6e9963431 __scrt_get_show_window_mode 27467 7ff6e996344e 27459->27467 27470 7ff6e9963601 27459->27470 27484 7ff6e9972bb0 101 API calls 27459->27484 27461 7ff6e99669f8 132 API calls 27463 7ff6e9963682 27461->27463 27462 7ff6e99634cc 27488 7ff6e99728d0 104 API calls 27462->27488 27463->27461 27464 7ff6e996370c 27463->27464 27463->27470 27480 7ff6e9972aa0 101 API calls 27463->27480 27469 7ff6e9963740 27464->27469 27464->27470 27746 7ff6e99628a4 82 API calls 2 library calls 27464->27746 27466 7ff6e99635cb 27466->27467 27468 7ff6e99635d7 27466->27468 27467->27458 27467->27463 27468->27470 27472 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27468->27472 27469->27470 27471 7ff6e996384d 27469->27471 27482 7ff6e9972bb0 101 API calls 27469->27482 27470->27386 27471->27470 27474 7ff6e99620b0 33 API calls 27471->27474 27475 7ff6e9963891 27472->27475 27473 7ff6e99634eb 27473->27466 27485 7ff6e9972aa0 101 API calls 27473->27485 27474->27470 27475->27386 27476 7ff6e99635a7 27476->27466 27481 7ff6e99728d0 104 API calls 27476->27481 27477 7ff6e99669f8 132 API calls 27478 7ff6e996378e 27477->27478 27478->27477 27479 7ff6e9963803 27478->27479 27483 7ff6e9972aa0 101 API calls 27478->27483 27487 7ff6e9972aa0 101 API calls 27479->27487 27480->27463 27481->27466 27482->27478 27483->27478 27484->27462 27485->27476 27486->27459 27487->27471 27488->27473 27490 7ff6e9963af9 27489->27490 27495 7ff6e9963b55 27489->27495 27747 7ff6e9963378 27490->27747 27491 7ff6e9992320 _handle_error 8 API calls 27493 7ff6e9963b67 27491->27493 27493->27394 27493->27396 27495->27491 27496 7ff6e9963b6c 27497 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27496->27497 27498 7ff6e9963b71 27497->27498 27974 7ff6e997886c 27499->27974 27501 7ff6e996f8ba 27978 7ff6e997ef60 GetSystemTime SystemTimeToFileTime 27501->27978 27504 7ff6e9980994 27505 7ff6e9990340 27504->27505 27506 7ff6e9977df4 47 API calls 27505->27506 27507 7ff6e9990373 27506->27507 27508 7ff6e997aae0 48 API calls 27507->27508 27509 7ff6e9990387 27508->27509 27510 7ff6e997da98 48 API calls 27509->27510 27511 7ff6e9990397 27510->27511 27512 7ff6e9961fa0 31 API calls 27511->27512 27513 7ff6e99903a2 27512->27513 27987 7ff6e998fc68 27513->27987 27521 7ff6e9966a0e 27520->27521 27525 7ff6e9966a0a 27520->27525 27530 7ff6e9972bb0 101 API calls 27521->27530 27522 7ff6e9966a1b 27523 7ff6e9966a2f 27522->27523 27524 7ff6e9966a3e 27522->27524 27523->27525 27999 7ff6e9965e24 27523->27999 28061 7ff6e9965130 130 API calls 2 library calls 27524->28061 27525->27402 27527 7ff6e9966a3c 27527->27525 28062 7ff6e996466c 82 API calls 27527->28062 27530->27522 27532 7ff6e996f978 27531->27532 27537 7ff6e996f9b0 27532->27537 27570 7ff6e996fa34 27532->27570 28177 7ff6e998612c 137 API calls 3 library calls 27532->28177 27533 7ff6e9971189 27536 7ff6e997118e 27533->27536 27540 7ff6e99711e1 27533->27540 27535 7ff6e9992320 _handle_error 8 API calls 27538 7ff6e99711c4 27535->27538 27536->27570 28225 7ff6e996dd08 179 API calls 27536->28225 27537->27533 27543 7ff6e996f9d0 27537->27543 27537->27570 27538->27402 27540->27570 28226 7ff6e998612c 137 API calls 3 library calls 27540->28226 27543->27570 28092 7ff6e9969bb0 27543->28092 27544 7ff6e996fad6 28105 7ff6e9975ef8 27544->28105 27548 7ff6e996fb7a 27570->27535 27709 7ff6e9962c88 27708->27709 27710 7ff6e9962c74 27708->27710 27711 7ff6e9961fa0 31 API calls 27709->27711 27710->27709 28311 7ff6e9962d80 27710->28311 27715 7ff6e9962ca1 27711->27715 27714 7ff6e9962d64 27717 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27714->27717 27715->27714 28341 7ff6e9963090 31 API calls _invalid_parameter_noinfo_noreturn 27715->28341 27716 7ff6e9962d08 28342 7ff6e9963090 31 API calls _invalid_parameter_noinfo_noreturn 27716->28342 27719 7ff6e9962d7c 27717->27719 27720 7ff6e9962d14 27721 7ff6e9961fa0 31 API calls 27720->27721 27722 7ff6e9962d20 27721->27722 28343 7ff6e997878c 27722->28343 27728->27399 27729->27405 27731 7ff6e9974d32 __scrt_get_show_window_mode 27730->27731 27740 7ff6e9974bac 27731->27740 27733 7ff6e9974d54 27734 7ff6e9974d90 27733->27734 27736 7ff6e9974dae 27733->27736 27735 7ff6e9992320 _handle_error 8 API calls 27734->27735 27737 7ff6e9962b32 27735->27737 27738 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27736->27738 27737->27383 27737->27452 27739 7ff6e9974db3 27738->27739 27741 7ff6e9974c27 27740->27741 27743 7ff6e9974c2f BuildCatchObjectHelperInternal 27740->27743 27742 7ff6e9961fa0 31 API calls 27741->27742 27742->27743 27743->27733 27744->27454 27745->27470 27746->27469 27748 7ff6e996339a 27747->27748 27751 7ff6e9963396 27747->27751 27753 7ff6e9963294 27748->27753 27751->27495 27751->27496 27752 7ff6e9972aa0 101 API calls 27752->27751 27754 7ff6e99632bb 27753->27754 27756 7ff6e99632f6 27753->27756 27755 7ff6e99669f8 132 API calls 27754->27755 27759 7ff6e99632db 27755->27759 27761 7ff6e9966e74 27756->27761 27759->27752 27765 7ff6e9966e95 27761->27765 27762 7ff6e99669f8 132 API calls 27762->27765 27763 7ff6e996331d 27763->27759 27766 7ff6e9963904 27763->27766 27765->27762 27765->27763 27793 7ff6e997e808 27765->27793 27801 7ff6e9966a7c 27766->27801 27769 7ff6e996396a 27772 7ff6e996399a 27769->27772 27773 7ff6e9963989 27769->27773 27770 7ff6e9963a8a 27774 7ff6e9992320 _handle_error 8 API calls 27770->27774 27777 7ff6e99639ec 27772->27777 27778 7ff6e99639a3 27772->27778 27834 7ff6e9980d54 33 API calls 27773->27834 27776 7ff6e9963a9e 27774->27776 27776->27759 27836 7ff6e99626b4 33 API calls BuildCatchObjectHelperInternal 27777->27836 27835 7ff6e9980c80 33 API calls 27778->27835 27779 7ff6e9963ab3 27780 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27779->27780 27782 7ff6e9963ab8 27780->27782 27786 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27782->27786 27784 7ff6e99639b0 27787 7ff6e9961fa0 31 API calls 27784->27787 27791 7ff6e99639c0 BuildCatchObjectHelperInternal 27784->27791 27785 7ff6e9963a13 27837 7ff6e9980ae8 34 API calls _invalid_parameter_noinfo_noreturn 27785->27837 27790 7ff6e9963abe 27786->27790 27787->27791 27788 7ff6e9961fa0 31 API calls 27792 7ff6e996394f 27788->27792 27791->27788 27792->27770 27792->27779 27792->27782 27794 7ff6e997e811 27793->27794 27795 7ff6e997e82b 27794->27795 27799 7ff6e996b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27794->27799 27797 7ff6e997e845 SetThreadExecutionState 27795->27797 27800 7ff6e996b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27795->27800 27799->27795 27800->27797 27802 7ff6e9966a96 _snwprintf 27801->27802 27803 7ff6e9966ae4 27802->27803 27804 7ff6e9966ac4 27802->27804 27805 7ff6e9966d4d 27803->27805 27809 7ff6e9966b0f 27803->27809 27876 7ff6e99628a4 82 API calls 2 library calls 27804->27876 27905 7ff6e99628a4 82 API calls 2 library calls 27805->27905 27808 7ff6e9966ad0 27810 7ff6e9992320 _handle_error 8 API calls 27808->27810 27809->27808 27838 7ff6e9981f94 27809->27838 27811 7ff6e996394b 27810->27811 27811->27769 27811->27792 27833 7ff6e9962794 33 API calls __std_swap_ranges_trivially_swappable 27811->27833 27814 7ff6e9966c2a 27847 7ff6e9974760 27814->27847 27815 7ff6e9966b6e 27877 7ff6e99628a4 82 API calls 2 library calls 27815->27877 27816 7ff6e9966b80 27818 7ff6e9966b85 27816->27818 27878 7ff6e99640b0 27816->27878 27818->27814 27832 7ff6e9966b7b 27818->27832 27882 7ff6e9978968 109 API calls 27818->27882 27823 7ff6e9966c52 27824 7ff6e9966cc7 27823->27824 27825 7ff6e9966cd1 27823->27825 27851 7ff6e9971794 27824->27851 27883 7ff6e9981f20 27825->27883 27828 7ff6e9966ccf 27903 7ff6e9974700 8 API calls _handle_error 27828->27903 27830 7ff6e9966cfd 27830->27832 27866 7ff6e9981870 27832->27866 27833->27769 27834->27792 27835->27784 27836->27785 27837->27792 27839 7ff6e9982056 std::bad_alloc::bad_alloc 27838->27839 27842 7ff6e9981fc5 std::bad_alloc::bad_alloc 27838->27842 27841 7ff6e9994078 std::_Xinvalid_argument 2 API calls 27839->27841 27840 7ff6e9966b59 27840->27815 27840->27816 27840->27818 27841->27842 27842->27840 27843 7ff6e9994078 std::_Xinvalid_argument 2 API calls 27842->27843 27844 7ff6e998200f std::bad_alloc::bad_alloc 27842->27844 27843->27844 27844->27840 27845 7ff6e9994078 std::_Xinvalid_argument 2 API calls 27844->27845 27846 7ff6e99820a9 27845->27846 27848 7ff6e9974780 27847->27848 27850 7ff6e997478a 27847->27850 27849 7ff6e99921d0 33 API calls 27848->27849 27849->27850 27850->27823 27852 7ff6e99717be __scrt_get_show_window_mode 27851->27852 27906 7ff6e9978a48 27852->27906 27855 7ff6e99717f2 27857 7ff6e9978a48 146 API calls 27855->27857 27858 7ff6e9971830 27855->27858 27916 7ff6e9978c4c 27855->27916 27857->27855 27867 7ff6e998188e 27866->27867 27869 7ff6e99818a1 27867->27869 27926 7ff6e997e948 27867->27926 27871 7ff6e99818d8 27869->27871 27922 7ff6e999236c 27869->27922 27875 7ff6e9981a37 27871->27875 27933 7ff6e997a984 31 API calls _invalid_parameter_noinfo_noreturn 27871->27933 27872 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 27873 7ff6e9981ad0 27872->27873 27875->27872 27876->27808 27877->27832 27879 7ff6e99640dd 27878->27879 27881 7ff6e99640d7 __scrt_get_show_window_mode 27878->27881 27879->27881 27934 7ff6e9964120 27879->27934 27881->27818 27882->27814 27884 7ff6e9981f29 27883->27884 27885 7ff6e9981f5d 27884->27885 27886 7ff6e9981f55 27884->27886 27887 7ff6e9981f49 27884->27887 27885->27828 27970 7ff6e9983964 151 API calls 27886->27970 27940 7ff6e99820ac 27887->27940 27898 7ff6e9984733 BuildCatchObjectHelperInternal 27903->27830 27905->27808 27908 7ff6e9978bcd 27906->27908 27911 7ff6e9978a91 BuildCatchObjectHelperInternal 27906->27911 27907 7ff6e9978c1a 27909 7ff6e997e808 SetThreadExecutionState RtlPcToFileHeader RaiseException 27907->27909 27908->27907 27910 7ff6e996a174 8 API calls 27908->27910 27913 7ff6e9978c1f 27909->27913 27910->27907 27911->27908 27912 7ff6e998612c 137 API calls 27911->27912 27911->27913 27914 7ff6e9974888 108 API calls 27911->27914 27915 7ff6e99728d0 104 API calls 27911->27915 27912->27911 27913->27855 27914->27911 27915->27911 27923 7ff6e999239f 27922->27923 27924 7ff6e99923c8 27923->27924 27925 7ff6e9981870 108 API calls 27923->27925 27924->27871 27925->27923 27927 7ff6e997ecd8 103 API calls 27926->27927 27928 7ff6e997e95f ReleaseSemaphore 27927->27928 27929 7ff6e997e984 27928->27929 27930 7ff6e997e9a3 DeleteCriticalSection CloseHandle CloseHandle 27928->27930 27931 7ff6e997ea5c 101 API calls 27929->27931 27932 7ff6e997e98e CloseHandle 27931->27932 27932->27929 27932->27930 27933->27875 27937 7ff6e9964149 27934->27937 27939 7ff6e9964168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27934->27939 27935 7ff6e9962018 33 API calls 27936 7ff6e99641eb 27935->27936 27938 7ff6e99921d0 33 API calls 27937->27938 27937->27939 27938->27939 27939->27935 27942 7ff6e99820c8 __scrt_get_show_window_mode 27940->27942 27941 7ff6e99821ba 27941->27898 27942->27941 27943 7ff6e996b75c 82 API calls 27942->27943 27943->27942 27970->27885 27975 7ff6e9978892 27974->27975 27976 7ff6e9978882 27974->27976 27975->27501 27981 7ff6e99723f0 27976->27981 27979 7ff6e9992320 _handle_error 8 API calls 27978->27979 27980 7ff6e996f7dc 27979->27980 27980->27402 27980->27504 27982 7ff6e997240f 27981->27982 27985 7ff6e9972aa0 101 API calls 27982->27985 27983 7ff6e9972428 27986 7ff6e9972bb0 101 API calls 27983->27986 27984 7ff6e9972438 27984->27975 27985->27983 27986->27984 27988 7ff6e998fc94 27987->27988 27989 7ff6e996129c 33 API calls 27988->27989 27990 7ff6e998fca4 27989->27990 27991 7ff6e998f0a4 24 API calls 27990->27991 27992 7ff6e998fcb1 27991->27992 27993 7ff6e998fceb 27992->27993 27995 7ff6e998fd03 27992->27995 28000 7ff6e9965e67 27999->28000 28063 7ff6e99785f0 28000->28063 28002 7ff6e9966134 28073 7ff6e9966fcc 82 API calls 28002->28073 28004 7ff6e99669af 28005 7ff6e9992320 _handle_error 8 API calls 28004->28005 28007 7ff6e99669c3 28005->28007 28006 7ff6e9966973 28086 7ff6e996466c 82 API calls 28006->28086 28007->27527 28008 7ff6e99669e4 28010 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 28008->28010 28009 7ff6e996612e 28009->28002 28009->28006 28013 7ff6e99785f0 104 API calls 28009->28013 28012 7ff6e99669e9 28010->28012 28015 7ff6e99661a4 28013->28015 28015->28002 28019 7ff6e99661ac 28015->28019 28016 7ff6e99669ef 28017 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 28016->28017 28020 7ff6e996623f 28019->28020 28074 7ff6e996466c 82 API calls 28019->28074 28020->28006 28022 7ff6e9966266 28020->28022 28057 7ff6e996613c 28057->28004 28057->28008 28057->28016 28061->27527 28064 7ff6e9978614 28063->28064 28066 7ff6e997869a 28063->28066 28065 7ff6e997867c 28064->28065 28067 7ff6e99640b0 33 API calls 28064->28067 28065->28009 28066->28065 28068 7ff6e99640b0 33 API calls 28066->28068 28070 7ff6e997864d 28067->28070 28069 7ff6e99786b3 28068->28069 28072 7ff6e99728d0 104 API calls 28069->28072 28087 7ff6e996a174 28070->28087 28072->28065 28073->28057 28088 7ff6e996a185 28087->28088 28089 7ff6e996a19a 28088->28089 28091 7ff6e997af18 8 API calls 2 library calls 28088->28091 28089->28065 28091->28089 28097 7ff6e9969be7 28092->28097 28093 7ff6e9969c1b 28094 7ff6e9992320 _handle_error 8 API calls 28093->28094 28095 7ff6e9969c9d 28094->28095 28095->27544 28097->28093 28098 7ff6e9969c83 28097->28098 28101 7ff6e9969cae 28097->28101 28227 7ff6e9975294 28097->28227 28245 7ff6e997db60 28097->28245 28100 7ff6e9961fa0 31 API calls 28098->28100 28100->28093 28102 7ff6e9969cbf 28101->28102 28249 7ff6e997da48 CompareStringW 28101->28249 28102->28098 28104 7ff6e99620b0 33 API calls 28102->28104 28104->28098 28116 7ff6e9975f3a 28105->28116 28106 7ff6e997619b 28108 7ff6e9992320 _handle_error 8 API calls 28106->28108 28107 7ff6e99761ce 28253 7ff6e996704c 47 API calls BuildCatchObjectHelperInternal 28107->28253 28109 7ff6e996fb29 28108->28109 28109->27548 28178 7ff6e9977c94 47 API calls 2 library calls 28109->28178 28111 7ff6e996129c 33 API calls 28113 7ff6e9976129 28111->28113 28112 7ff6e99761d4 28114 7ff6e9961fa0 31 API calls 28113->28114 28115 7ff6e997613b BuildCatchObjectHelperInternal 28113->28115 28114->28115 28115->28106 28117 7ff6e99761c9 28115->28117 28116->28106 28116->28107 28116->28111 28177->27537 28225->27570 28226->27570 28228 7ff6e99752d4 28227->28228 28232 7ff6e9975312 __vcrt_InitializeCriticalSectionEx 28228->28232 28239 7ff6e9975339 __vcrt_InitializeCriticalSectionEx 28228->28239 28250 7ff6e99813f4 CompareStringW 28228->28250 28229 7ff6e9992320 _handle_error 8 API calls 28231 7ff6e9975503 28229->28231 28231->28097 28234 7ff6e9975382 __vcrt_InitializeCriticalSectionEx 28232->28234 28232->28239 28251 7ff6e99813f4 CompareStringW 28232->28251 28235 7ff6e996129c 33 API calls 28234->28235 28236 7ff6e9975439 28234->28236 28234->28239 28237 7ff6e9975426 28235->28237 28238 7ff6e9975489 28236->28238 28241 7ff6e997551b 28236->28241 28240 7ff6e99772cc 8 API calls 28237->28240 28238->28239 28252 7ff6e99813f4 CompareStringW 28238->28252 28239->28229 28240->28236 28243 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 28241->28243 28244 7ff6e9975520 28243->28244 28246 7ff6e997db73 28245->28246 28247 7ff6e99620b0 33 API calls 28246->28247 28248 7ff6e997db91 28246->28248 28247->28248 28248->28097 28249->28102 28250->28232 28251->28234 28252->28239 28253->28112 28314 7ff6e9962da5 28311->28314 28313 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 28315 7ff6e9963045 28313->28315 28340 7ff6e9963025 28314->28340 28357 7ff6e997b7e4 31 API calls _invalid_parameter_noinfo_noreturn 28314->28357 28316 7ff6e999236c 108 API calls 28315->28316 28317 7ff6e996306f 28316->28317 28318 7ff6e999236c 108 API calls 28317->28318 28321 7ff6e9963087 28318->28321 28319 7ff6e9962dfa 28320 7ff6e9961fa0 31 API calls 28319->28320 28319->28340 28322 7ff6e9962fb9 28320->28322 28321->27709 28323 7ff6e9961fa0 31 API calls 28322->28323 28324 7ff6e9962fc5 28323->28324 28325 7ff6e9961fa0 31 API calls 28324->28325 28326 7ff6e9962fd1 28325->28326 28327 7ff6e9961fa0 31 API calls 28326->28327 28328 7ff6e9962fdd 28327->28328 28329 7ff6e9961fa0 31 API calls 28328->28329 28330 7ff6e9962fe9 28329->28330 28331 7ff6e9961fa0 31 API calls 28330->28331 28332 7ff6e9962ff5 28331->28332 28333 7ff6e9961fa0 31 API calls 28332->28333 28334 7ff6e9963001 28333->28334 28335 7ff6e9961fa0 31 API calls 28334->28335 28336 7ff6e996300d 28335->28336 28337 7ff6e9961fa0 31 API calls 28336->28337 28338 7ff6e9963019 28337->28338 28339 7ff6e9961fa0 31 API calls 28338->28339 28339->28340 28340->28313 28341->27716 28342->27720 28344 7ff6e99787af 28343->28344 28346 7ff6e99787df 28343->28346 28345 7ff6e999236c 108 API calls 28344->28345 28349 7ff6e99787ca 28345->28349 28347 7ff6e999236c 108 API calls 28346->28347 28355 7ff6e997882b 28346->28355 28350 7ff6e9978814 28347->28350 28352 7ff6e999236c 108 API calls 28349->28352 28353 7ff6e999236c 108 API calls 28350->28353 28351 7ff6e9978845 28354 7ff6e997461c 108 API calls 28351->28354 28352->28346 28353->28355 28356 7ff6e9978851 28354->28356 28358 7ff6e997461c 28355->28358 28357->28319 28359 7ff6e9974632 28358->28359 28361 7ff6e997463a 28358->28361 28360 7ff6e997e948 108 API calls 28359->28360 28360->28361 28361->28351 28363 7ff6e997163e 28362->28363 28367 7ff6e9971681 28362->28367 28366 7ff6e99731bc 51 API calls 28363->28366 28363->28367 28364 7ff6e996e600 31 API calls 28372 7ff6e99716de 28364->28372 28365 7ff6e9961fa0 31 API calls 28365->28367 28366->28363 28367->28365 28369 7ff6e99716a0 28367->28369 28368 7ff6e9992320 _handle_error 8 API calls 28373 7ff6e996e58a 28368->28373 28369->28364 28370 7ff6e997178d 28374 7ff6e9997904 _invalid_parameter_noinfo_noreturn 31 API calls 28370->28374 28371 7ff6e997175b 28371->28368 28372->28370 28372->28371 28373->27340 28373->27342 28375 7ff6e9971792 28374->28375 28376->27006 28377->27013 28378->27015

                                                                                                                Executed Functions

                                                                                                                Function 00007FF6E998B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                                                • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                • API String ID: 255727823-2702805183
                                                                                                                • Opcode ID: 3e6d9a693a79c7c9cf2c1e4f069a4971a6be31a9e2dbb94d55183296269d1cf4
                                                                                                                • Instruction ID: 574e860ef1b287aed9e3fc1d2fa2761eca83ffbfb68b563b3c6a415c2ea82650
                                                                                                                • Opcode Fuzzy Hash: 3e6d9a693a79c7c9cf2c1e4f069a4971a6be31a9e2dbb94d55183296269d1cf4
                                                                                                                • Instruction Fuzzy Hash: 3FD2D163A1868295FB249F25E8443F96361EF85780F484136D94DCBAE7EF3EE544C30A
                                                                                                                Function 00007FF6E998CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                                                • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                • API String ID: 3007431893-3916287355
                                                                                                                • Opcode ID: 6ebf391096c313739f4001c1e8d4f8bb144ce40d1e5a517d741761108fe7ef46
                                                                                                                • Instruction ID: 25aa7d3a309fab7ef08d25489969097b1f0075341e0e621b51fa4ae80839210e
                                                                                                                • Opcode Fuzzy Hash: 6ebf391096c313739f4001c1e8d4f8bb144ce40d1e5a517d741761108fe7ef46
                                                                                                                • Instruction Fuzzy Hash: E213AF23A14B8299EB24DF74D8503EC27A1EF40398F580539DA1D97ADBDF3AE584C349
                                                                                                                Function 00007FF6E9990754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1466 7ff6e9990754-7ff6e9990829 call 7ff6e997dfd0 call 7ff6e99762dc call 7ff6e998946c call 7ff6e9993cf0 call 7ff6e9989a14 1477 7ff6e9990860-7ff6e9990883 1466->1477 1478 7ff6e999082b-7ff6e9990840 1466->1478 1481 7ff6e9990885-7ff6e999089a 1477->1481 1482 7ff6e99908ba-7ff6e99908dd 1477->1482 1479 7ff6e9990842-7ff6e9990855 1478->1479 1480 7ff6e999085b call 7ff6e999220c 1478->1480 1479->1480 1483 7ff6e9990ddd-7ff6e9990de2 call 7ff6e9997904 1479->1483 1480->1477 1485 7ff6e99908b5 call 7ff6e999220c 1481->1485 1486 7ff6e999089c-7ff6e99908af 1481->1486 1487 7ff6e99908df-7ff6e99908f4 1482->1487 1488 7ff6e9990914-7ff6e9990937 1482->1488 1502 7ff6e9990de3-7ff6e9990df0 call 7ff6e9997904 1483->1502 1485->1482 1486->1483 1486->1485 1493 7ff6e999090f call 7ff6e999220c 1487->1493 1494 7ff6e99908f6-7ff6e9990909 1487->1494 1489 7ff6e999096e-7ff6e999097a GetCommandLineW 1488->1489 1490 7ff6e9990939-7ff6e999094e 1488->1490 1499 7ff6e9990980-7ff6e99909b7 call 7ff6e999797c call 7ff6e996129c call 7ff6e998cad0 1489->1499 1500 7ff6e9990b47-7ff6e9990b5e call 7ff6e9976454 1489->1500 1496 7ff6e9990950-7ff6e9990963 1490->1496 1497 7ff6e9990969 call 7ff6e999220c 1490->1497 1493->1488 1494->1483 1494->1493 1496->1483 1496->1497 1497->1489 1527 7ff6e99909b9-7ff6e99909cc 1499->1527 1528 7ff6e99909ec-7ff6e99909f3 1499->1528 1508 7ff6e9990b60-7ff6e9990b85 call 7ff6e9961fa0 call 7ff6e9993640 1500->1508 1509 7ff6e9990b89-7ff6e9990ce4 call 7ff6e9961fa0 SetEnvironmentVariableW GetLocalTime call 7ff6e9973e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6e998b014 call 7ff6e99798ac call 7ff6e99867b4 * 2 DialogBoxParamW call 7ff6e99868a8 * 2 1500->1509 1514 7ff6e9990df5-7ff6e9990e2f call 7ff6e9991900 1502->1514 1508->1509 1573 7ff6e9990ce6 Sleep 1509->1573 1574 7ff6e9990cec-7ff6e9990cf3 1509->1574 1522 7ff6e9990e34-7ff6e9990ee1 1514->1522 1522->1514 1529 7ff6e99909ce-7ff6e99909e1 1527->1529 1530 7ff6e99909e7 call 7ff6e999220c 1527->1530 1531 7ff6e99909f9-7ff6e9990a13 OpenFileMappingW 1528->1531 1532 7ff6e9990adb-7ff6e9990b12 call 7ff6e999797c call 7ff6e996129c call 7ff6e998fd0c 1528->1532 1529->1502 1529->1530 1530->1528 1537 7ff6e9990ad0-7ff6e9990ad9 CloseHandle 1531->1537 1538 7ff6e9990a19-7ff6e9990a39 MapViewOfFile 1531->1538 1532->1500 1556 7ff6e9990b14-7ff6e9990b27 1532->1556 1537->1500 1538->1537 1541 7ff6e9990a3f-7ff6e9990a6f UnmapViewOfFile MapViewOfFile 1538->1541 1541->1537 1544 7ff6e9990a71-7ff6e9990aca call 7ff6e998a190 call 7ff6e998fd0c call 7ff6e997b9b4 call 7ff6e997bb00 call 7ff6e997bb70 UnmapViewOfFile 1541->1544 1544->1537 1559 7ff6e9990b42 call 7ff6e999220c 1556->1559 1560 7ff6e9990b29-7ff6e9990b3c 1556->1560 1559->1500 1560->1559 1563 7ff6e9990dd7-7ff6e9990ddc call 7ff6e9997904 1560->1563 1563->1483 1573->1574 1576 7ff6e9990cf5 call 7ff6e9989f4c 1574->1576 1577 7ff6e9990cfa-7ff6e9990d1d call 7ff6e997b8e0 DeleteObject 1574->1577 1576->1577 1581 7ff6e9990d1f DeleteObject 1577->1581 1582 7ff6e9990d25-7ff6e9990d2c 1577->1582 1581->1582 1583 7ff6e9990d2e-7ff6e9990d35 1582->1583 1584 7ff6e9990d48-7ff6e9990d59 1582->1584 1583->1584 1585 7ff6e9990d37-7ff6e9990d43 call 7ff6e996ba0c 1583->1585 1586 7ff6e9990d5b-7ff6e9990d67 call 7ff6e998fe24 CloseHandle 1584->1586 1587 7ff6e9990d6d-7ff6e9990d7a 1584->1587 1585->1584 1586->1587 1590 7ff6e9990d9f-7ff6e9990da4 call 7ff6e99894e4 1587->1590 1591 7ff6e9990d7c-7ff6e9990d89 1587->1591 1598 7ff6e9990da9-7ff6e9990dd6 call 7ff6e9992320 1590->1598 1593 7ff6e9990d99-7ff6e9990d9b 1591->1593 1594 7ff6e9990d8b-7ff6e9990d93 1591->1594 1593->1590 1597 7ff6e9990d9d 1593->1597 1594->1590 1596 7ff6e9990d95-7ff6e9990d97 1594->1596 1596->1590 1597->1590
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                • API String ID: 1048086575-3710569615
                                                                                                                • Opcode ID: c5916489d6819e2517ae573ce65b4a279a224d0388b5e67202a83574e880266c
                                                                                                                • Instruction ID: 7660790a9cb071b6bba680e01c54d97a7f9a44f096a80051c1410704bd8168ea
                                                                                                                • Opcode Fuzzy Hash: c5916489d6819e2517ae573ce65b4a279a224d0388b5e67202a83574e880266c
                                                                                                                • Instruction Fuzzy Hash: B9129963E18B8286FB109F25E8453BD6361FF84784F484235DA5D86AA7DF7EE140C34A
                                                                                                                Function 00007FF6E997A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                                                • String ID: $%s:$CAPTION
                                                                                                                • API String ID: 2100155373-404845831
                                                                                                                • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                • Instruction ID: 81d8169b616d919e3ebd223ce1795772df4fda92414e9cd0dc5ddca472b356de
                                                                                                                • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                • Instruction Fuzzy Hash: 5491D633B1864186E714CF79A80076AA7A1FF84784F485535EE4E8BB99DF3DE805CB04
                                                                                                                Function 00007FF6E9988624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                • String ID: PNG
                                                                                                                • API String ID: 211097158-364855578
                                                                                                                • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                • Instruction ID: d7149b5c138a2508451fd25a2429f87ef968f6b0690b5fc840f63f8b529ed8c2
                                                                                                                • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                • Instruction Fuzzy Hash: 20411F26E09A0281EF189F17D8443B963A4EF88BD4F0C4439CD1D87366EF7EE4458716
                                                                                                                Function 00007FF6E996F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: __tmp_reference_source_
                                                                                                                • API String ID: 3668304517-685763994
                                                                                                                • Opcode ID: f561e0e70ed0c8f261922accd0b1c0d9c667734151b31c61fa76ef6c2567ebf6
                                                                                                                • Instruction ID: 9ed6d2399738e6027c5741625e9d178528becfb6bc1539486d1ebbeadce2365f
                                                                                                                • Opcode Fuzzy Hash: f561e0e70ed0c8f261922accd0b1c0d9c667734151b31c61fa76ef6c2567ebf6
                                                                                                                • Instruction Fuzzy Hash: DEE29163A186C292EA648F25E1403BE6761FF81784F484132DB9D936E7DF3EE454C70A
                                                                                                                Function 00007FF6E9964840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: CMT
                                                                                                                • API String ID: 3668304517-2756464174
                                                                                                                • Opcode ID: 7b5fa825bd18b07956be4adf978f5c614e6a418d86798f7ae75c37915e2fc538
                                                                                                                • Instruction ID: dc23a632287b577d445aef2ba77c1e0024a83a52dd26508ae5988123ed0479b6
                                                                                                                • Opcode Fuzzy Hash: 7b5fa825bd18b07956be4adf978f5c614e6a418d86798f7ae75c37915e2fc538
                                                                                                                • Instruction Fuzzy Hash: 36E2DB33B2868286EB189F65D5903FE67A1AF45384F480035DA5E83797DF3EE054C38A
                                                                                                                Function 00007FF6E99740BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 3477 7ff6e99740bc-7ff6e99740f3 3478 7ff6e99740f9-7ff6e9974101 3477->3478 3479 7ff6e99741d2-7ff6e99741df FindNextFileW 3477->3479 3480 7ff6e9974106-7ff6e9974118 FindFirstFileW 3478->3480 3481 7ff6e9974103 3478->3481 3482 7ff6e99741f3-7ff6e99741f6 3479->3482 3483 7ff6e99741e1-7ff6e99741f1 GetLastError 3479->3483 3480->3482 3484 7ff6e997411e-7ff6e9974146 call 7ff6e9976a0c 3480->3484 3481->3480 3486 7ff6e99741f8-7ff6e9974200 3482->3486 3487 7ff6e9974211-7ff6e9974253 call 7ff6e999797c call 7ff6e996129c call 7ff6e9978090 3482->3487 3485 7ff6e99741ca-7ff6e99741cd 3483->3485 3499 7ff6e9974148-7ff6e9974164 FindFirstFileW 3484->3499 3500 7ff6e9974167-7ff6e9974170 3484->3500 3488 7ff6e99742eb-7ff6e997430e call 7ff6e9992320 3485->3488 3490 7ff6e9974205-7ff6e997420c call 7ff6e99620b0 3486->3490 3491 7ff6e9974202 3486->3491 3513 7ff6e997428c-7ff6e99742e6 call 7ff6e997f168 * 3 3487->3513 3514 7ff6e9974255-7ff6e997426c 3487->3514 3490->3487 3491->3490 3499->3500 3502 7ff6e99741a9-7ff6e99741ad 3500->3502 3503 7ff6e9974172-7ff6e9974189 3500->3503 3502->3482 3505 7ff6e99741af-7ff6e99741be GetLastError 3502->3505 3506 7ff6e997418b-7ff6e997419e 3503->3506 3507 7ff6e99741a4 call 7ff6e999220c 3503->3507 3511 7ff6e99741c8 3505->3511 3512 7ff6e99741c0-7ff6e99741c6 3505->3512 3506->3507 3508 7ff6e9974315-7ff6e997431b call 7ff6e9997904 3506->3508 3507->3502 3511->3485 3512->3485 3512->3511 3513->3488 3516 7ff6e9974287 call 7ff6e999220c 3514->3516 3517 7ff6e997426e-7ff6e9974281 3514->3517 3516->3513 3517->3516 3520 7ff6e997430f-7ff6e9974314 call 7ff6e9997904 3517->3520 3520->3508
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                • String ID:
                                                                                                                • API String ID: 474548282-0
                                                                                                                • Opcode ID: e00911ed99825cb93216281e8042c5d8089b28651dbc7c90a12e2ff066408ff5
                                                                                                                • Instruction ID: 4715500703f29ce28df8979a2a7c7c97b003a659b2299379fff441cd7388a163
                                                                                                                • Opcode Fuzzy Hash: e00911ed99825cb93216281e8042c5d8089b28651dbc7c90a12e2ff066408ff5
                                                                                                                • Instruction Fuzzy Hash: 7B61A263A18A4285EA109F29E8403BD6361FF957A4F144331EABD83BDADF3DD584C705
                                                                                                                Function 00007FF6E9965E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 3588 7ff6e9965e24-7ff6e9966129 call 7ff6e997833c call 7ff6e99785f0 3594 7ff6e996612e-7ff6e9966132 3588->3594 3595 7ff6e9966134-7ff6e996613c call 7ff6e9966fcc 3594->3595 3596 7ff6e9966141-7ff6e9966171 call 7ff6e99783d8 call 7ff6e9978570 call 7ff6e9978528 3594->3596 3601 7ff6e996697b 3595->3601 3613 7ff6e9966177-7ff6e9966179 3596->3613 3614 7ff6e9966973-7ff6e9966976 call 7ff6e996466c 3596->3614 3603 7ff6e996697e-7ff6e9966985 3601->3603 3606 7ff6e9966987-7ff6e9966998 3603->3606 3607 7ff6e99669b4-7ff6e99669e3 call 7ff6e9992320 3603->3607 3610 7ff6e996699a-7ff6e99669ad 3606->3610 3611 7ff6e99669af call 7ff6e999220c 3606->3611 3610->3611 3616 7ff6e99669e4-7ff6e99669e9 call 7ff6e9997904 3610->3616 3611->3607 3613->3614 3617 7ff6e996617f-7ff6e9966189 3613->3617 3614->3601 3623 7ff6e99669ea-7ff6e99669ef call 7ff6e9997904 3616->3623 3617->3614 3620 7ff6e996618f-7ff6e9966192 3617->3620 3620->3614 3622 7ff6e9966198-7ff6e99661aa call 7ff6e99785f0 3620->3622 3622->3595 3628 7ff6e99661ac-7ff6e99661fd call 7ff6e99784f8 call 7ff6e9978528 * 2 3622->3628 3629 7ff6e99669f0-7ff6e99669f7 call 7ff6e9997904 3623->3629 3638 7ff6e996623f-7ff6e9966249 3628->3638 3639 7ff6e99661ff-7ff6e9966222 call 7ff6e996466c call 7ff6e996ba0c 3628->3639 3641 7ff6e996624b-7ff6e9966260 call 7ff6e9978528 3638->3641 3642 7ff6e9966266-7ff6e9966270 3638->3642 3639->3638 3656 7ff6e9966224-7ff6e996622e call 7ff6e996433c 3639->3656 3641->3614 3641->3642 3645 7ff6e9966272-7ff6e996627b call 7ff6e9978528 3642->3645 3646 7ff6e996627e-7ff6e9966296 call 7ff6e996334c 3642->3646 3645->3646 3654 7ff6e9966298-7ff6e996629b 3646->3654 3655 7ff6e99662b3 3646->3655 3654->3655 3657 7ff6e996629d-7ff6e99662b1 3654->3657 3658 7ff6e99662b6-7ff6e99662c8 3655->3658 3656->3638 3657->3655 3657->3658 3660 7ff6e99668b7-7ff6e9966929 call 7ff6e9974d04 call 7ff6e9978528 3658->3660 3661 7ff6e99662ce-7ff6e99662d1 3658->3661 3680 7ff6e996692b-7ff6e9966934 call 7ff6e9978528 3660->3680 3681 7ff6e9966936 3660->3681 3662 7ff6e99662d7-7ff6e99662da 3661->3662 3663 7ff6e9966481-7ff6e99664f4 call 7ff6e9974c74 call 7ff6e9978528 * 2 3661->3663 3662->3663 3665 7ff6e99662e0-7ff6e99662e3 3662->3665 3696 7ff6e9966507-7ff6e9966533 call 7ff6e9978528 3663->3696 3697 7ff6e99664f6-7ff6e9966500 3663->3697 3668 7ff6e99662e5-7ff6e99662e8 3665->3668 3669 7ff6e996632e-7ff6e9966353 call 7ff6e9978528 3665->3669 3672 7ff6e996696d-7ff6e9966971 3668->3672 3673 7ff6e99662ee-7ff6e9966329 call 7ff6e9978528 3668->3673 3685 7ff6e9966355-7ff6e996638f call 7ff6e9964228 call 7ff6e9963c84 call 7ff6e996701c call 7ff6e9961fa0 3669->3685 3686 7ff6e996639e-7ff6e99663c5 call 7ff6e9978528 call 7ff6e9978384 3669->3686 3672->3603 3673->3672 3682 7ff6e9966939-7ff6e9966946 3680->3682 3681->3682 3690 7ff6e996694c 3682->3690 3691 7ff6e9966948-7ff6e996694a 3682->3691 3732 7ff6e9966390-7ff6e9966399 call 7ff6e9961fa0 3685->3732 3707 7ff6e99663c7-7ff6e9966400 call 7ff6e9964228 call 7ff6e9963c84 call 7ff6e996701c call 7ff6e9961fa0 3686->3707 3708 7ff6e9966402-7ff6e996641f call 7ff6e9978444 3686->3708 3695 7ff6e996694f-7ff6e9966959 3690->3695 3691->3690 3691->3695 3695->3672 3701 7ff6e996695b-7ff6e9966968 call 7ff6e9964840 3695->3701 3709 7ff6e9966549-7ff6e9966557 3696->3709 3710 7ff6e9966535-7ff6e9966544 call 7ff6e99783d8 call 7ff6e997f134 3696->3710 3697->3696 3701->3672 3707->3732 3729 7ff6e9966475-7ff6e996647c 3708->3729 3730 7ff6e9966421-7ff6e996646f call 7ff6e9978444 * 2 call 7ff6e997c800 call 7ff6e9994a70 3708->3730 3715 7ff6e9966559-7ff6e996656c call 7ff6e99783d8 3709->3715 3716 7ff6e9966572-7ff6e9966595 call 7ff6e9978528 3709->3716 3710->3709 3715->3716 3733 7ff6e9966597-7ff6e996659e 3716->3733 3734 7ff6e99665a0-7ff6e99665b0 3716->3734 3729->3672 3730->3729 3732->3686 3738 7ff6e99665b3-7ff6e99665eb call 7ff6e9978528 * 2 3733->3738 3734->3738 3752 7ff6e99665ed-7ff6e99665f4 3738->3752 3753 7ff6e99665f6-7ff6e99665fa 3738->3753 3755 7ff6e9966603-7ff6e9966632 3752->3755 3753->3755 3757 7ff6e99665fc 3753->3757 3758 7ff6e9966634-7ff6e9966638 3755->3758 3759 7ff6e996663f 3755->3759 3757->3755 3758->3759 3760 7ff6e996663a-7ff6e996663d 3758->3760 3761 7ff6e9966641-7ff6e9966656 3759->3761 3760->3761 3762 7ff6e99666ca 3761->3762 3763 7ff6e9966658-7ff6e996665b 3761->3763 3764 7ff6e99666d2-7ff6e9966731 call 7ff6e9963d00 call 7ff6e9978444 call 7ff6e9980d54 3762->3764 3763->3762 3765 7ff6e996665d-7ff6e9966683 3763->3765 3776 7ff6e9966733-7ff6e9966740 call 7ff6e9964840 3764->3776 3777 7ff6e9966745-7ff6e9966749 3764->3777 3765->3764 3767 7ff6e9966685-7ff6e99666a9 3765->3767 3769 7ff6e99666ab 3767->3769 3770 7ff6e99666b2-7ff6e99666bf 3767->3770 3769->3770 3770->3764 3771 7ff6e99666c1-7ff6e99666c8 3770->3771 3771->3764 3776->3777 3779 7ff6e996675b-7ff6e9966772 call 7ff6e999797c 3777->3779 3780 7ff6e996674b-7ff6e9966756 call 7ff6e996473c 3777->3780 3786 7ff6e9966777-7ff6e996677e 3779->3786 3787 7ff6e9966774 3779->3787 3785 7ff6e9966859-7ff6e9966860 3780->3785 3788 7ff6e9966873-7ff6e996687b 3785->3788 3789 7ff6e9966862-7ff6e9966872 call 7ff6e996433c 3785->3789 3790 7ff6e99667a3-7ff6e99667ba call 7ff6e999797c 3786->3790 3791 7ff6e9966780-7ff6e9966783 3786->3791 3787->3786 3788->3672 3793 7ff6e9966881-7ff6e9966892 3788->3793 3789->3788 3804 7ff6e99667bc 3790->3804 3805 7ff6e99667bf-7ff6e99667c6 3790->3805 3794 7ff6e996679c 3791->3794 3795 7ff6e9966785 3791->3795 3798 7ff6e99668ad-7ff6e99668b2 call 7ff6e999220c 3793->3798 3799 7ff6e9966894-7ff6e99668a7 3793->3799 3794->3790 3800 7ff6e9966788-7ff6e9966791 3795->3800 3798->3672 3799->3629 3799->3798 3800->3790 3803 7ff6e9966793-7ff6e996679a 3800->3803 3803->3794 3803->3800 3804->3805 3805->3785 3807 7ff6e99667cc-7ff6e99667cf 3805->3807 3808 7ff6e99667e8-7ff6e99667f0 3807->3808 3809 7ff6e99667d1 3807->3809 3808->3785 3811 7ff6e99667f2-7ff6e9966826 call 7ff6e9978360 call 7ff6e9978598 call 7ff6e9978528 3808->3811 3810 7ff6e99667d4-7ff6e99667dd 3809->3810 3810->3785 3812 7ff6e99667df-7ff6e99667e6 3810->3812 3811->3785 3819 7ff6e9966828-7ff6e9966839 3811->3819 3812->3808 3812->3810 3820 7ff6e996683b-7ff6e996684e 3819->3820 3821 7ff6e9966854 call 7ff6e999220c 3819->3821 3820->3623 3820->3821 3821->3785
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: CMT
                                                                                                                • API String ID: 0-2756464174
                                                                                                                • Opcode ID: 8928320ae6cd716fc977bb68eff86db0b2a70291441e82f998a9964a40b9c2b9
                                                                                                                • Instruction ID: e3af6fb74d721f8740b4321af8d15abbd4495fcd29780f6ebfbb4196e3c39733
                                                                                                                • Opcode Fuzzy Hash: 8928320ae6cd716fc977bb68eff86db0b2a70291441e82f998a9964a40b9c2b9
                                                                                                                • Instruction Fuzzy Hash: 0342BAA3B186829AEB189F75C1503FD67A0AF41388F480136DB5E936D7DF39E518C386
                                                                                                                Function 00007FF6E9981F20 Relevance: .3, Instructions: 337COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
                                                                                                                • Instruction ID: 13c4424c7b7914c663e350ff2db34f8a9400fcd3fe17f97e2b307c06612ff085
                                                                                                                • Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
                                                                                                                • Instruction Fuzzy Hash: 8FE1B463A082828AEB78CF29A4453BD7791FF44788F094139DB4E87786DF3EE5418709
                                                                                                                Function 00007FF6E9983484 Relevance: .3, Instructions: 302COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                • Instruction ID: 653dac16d66f361cd90303f368e39f1600d2b7ab3e52af41412ef7ae9915a1a8
                                                                                                                • Opcode Fuzzy Hash: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                • Instruction Fuzzy Hash: 62B1CFA3B04AC992DE6CCE66D6097E9A395BB05BC4F48803ADE0D87742DF3DE155C306
                                                                                                                Function 00007FF6E9974928 Relevance: .1, Instructions: 136COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                • String ID:
                                                                                                                • API String ID: 3340455307-0
                                                                                                                • Opcode ID: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
                                                                                                                • Instruction ID: e3cef524f4bc3860a510c26a61c3707cfb015d79d4ba5233f814c76ecbe34177
                                                                                                                • Opcode Fuzzy Hash: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
                                                                                                                • Instruction Fuzzy Hash: 1741F323B1565286FA68DE22A95076A2353BFC4B88F084030DE0D877D7DF3DE4428749
                                                                                                                Function 00007FF6E997DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 7ff6e997dfd0-7ff6e997e024 call 7ff6e9992450 GetModuleHandleW 3 7ff6e997e07b-7ff6e997e3a5 0->3 4 7ff6e997e026-7ff6e997e039 GetProcAddress 0->4 5 7ff6e997e3ab-7ff6e997e3b4 call 7ff6e999b788 3->5 6 7ff6e997e503-7ff6e997e521 call 7ff6e9976454 call 7ff6e9977df4 3->6 7 7ff6e997e03b-7ff6e997e04a 4->7 8 7ff6e997e053-7ff6e997e066 GetProcAddress 4->8 5->6 14 7ff6e997e3ba-7ff6e997e3fd call 7ff6e9976454 CreateFileW 5->14 20 7ff6e997e525-7ff6e997e52f call 7ff6e99751a4 6->20 7->8 8->3 11 7ff6e997e068-7ff6e997e078 8->11 11->3 22 7ff6e997e403-7ff6e997e416 SetFilePointer 14->22 23 7ff6e997e4f0-7ff6e997e4fe CloseHandle call 7ff6e9961fa0 14->23 27 7ff6e997e564-7ff6e997e5ac call 7ff6e999797c call 7ff6e996129c call 7ff6e9978090 call 7ff6e9961fa0 call 7ff6e99732bc 20->27 28 7ff6e997e531-7ff6e997e53c call 7ff6e997dd88 20->28 22->23 25 7ff6e997e41c-7ff6e997e43e ReadFile 22->25 23->6 25->23 29 7ff6e997e444-7ff6e997e452 25->29 67 7ff6e997e5b1-7ff6e997e5b4 27->67 28->27 39 7ff6e997e53e-7ff6e997e562 CompareStringW 28->39 32 7ff6e997e458-7ff6e997e4ac call 7ff6e999797c call 7ff6e996129c 29->32 33 7ff6e997e800-7ff6e997e807 call 7ff6e9992624 29->33 50 7ff6e997e4c3-7ff6e997e4d9 call 7ff6e997d0a0 32->50 39->27 42 7ff6e997e5bd-7ff6e997e5c6 39->42 42->20 45 7ff6e997e5cc 42->45 48 7ff6e997e5d1-7ff6e997e5d4 45->48 52 7ff6e997e5d6-7ff6e997e5d9 48->52 53 7ff6e997e63f-7ff6e997e642 48->53 60 7ff6e997e4db-7ff6e997e4eb call 7ff6e9961fa0 * 2 50->60 61 7ff6e997e4ae-7ff6e997e4be call 7ff6e997dd88 50->61 58 7ff6e997e5dd-7ff6e997e62d call 7ff6e999797c call 7ff6e996129c call 7ff6e9978090 call 7ff6e9961fa0 call 7ff6e99732bc 52->58 56 7ff6e997e648-7ff6e997e65b call 7ff6e9977eb0 call 7ff6e99751a4 53->56 57 7ff6e997e7c2-7ff6e997e7ff call 7ff6e9961fa0 * 2 call 7ff6e9992320 53->57 82 7ff6e997e706-7ff6e997e753 call 7ff6e997da98 AllocConsole 56->82 83 7ff6e997e661-7ff6e997e701 call 7ff6e997dd88 * 2 call 7ff6e997aae0 call 7ff6e997da98 call 7ff6e997aae0 call 7ff6e997dc2c call 7ff6e99887ac call 7ff6e99619e0 56->83 107 7ff6e997e63c 58->107 108 7ff6e997e62f-7ff6e997e638 58->108 60->23 61->50 72 7ff6e997e5b6 67->72 73 7ff6e997e5ce 67->73 72->42 73->48 94 7ff6e997e755-7ff6e997e7aa GetCurrentProcessId AttachConsole call 7ff6e997e868 call 7ff6e997e858 GetStdHandle WriteConsoleW Sleep FreeConsole 82->94 95 7ff6e997e7b0 82->95 99 7ff6e997e7b4-7ff6e997e7bb call 7ff6e99619e0 ExitProcess 83->99 94->95 95->99 107->53 108->58 112 7ff6e997e63a 108->112 112->53
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                                                • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                • API String ID: 1496594111-2013832382
                                                                                                                • Opcode ID: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
                                                                                                                • Instruction ID: b152ea27aa93907c04b961991bfff1e7fd25a6c92b5dc452d8fa832f6cb09626
                                                                                                                • Opcode Fuzzy Hash: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
                                                                                                                • Instruction Fuzzy Hash: 1F323D33E09B8299EB219F64E8402E933A4FF44354F580236DA4D877A6EF7ED654C349
                                                                                                                Function 00007FF6E99798DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E9978E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E9978F8D
                                                                                                                • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6E9979F75
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E997A42F
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E997A435
                                                                                                                  • Part of subcall function 00007FF6E9980BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E9980B44), ref: 00007FF6E9980BE9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                • API String ID: 3629253777-3268106645
                                                                                                                • Opcode ID: e9373c6c8447d3f6bd3ca8f7216f9b88ee08b61aa473e508913f217581450698
                                                                                                                • Instruction ID: 3452927f6ce313f3437538351a7aa0ea3abd02c6251890e02aa0963d64dc111a
                                                                                                                • Opcode Fuzzy Hash: e9373c6c8447d3f6bd3ca8f7216f9b88ee08b61aa473e508913f217581450698
                                                                                                                • Instruction Fuzzy Hash: BD62AF23B1AA8295EB10DF25C4443BD2365FF50788F884132EA5D8B6D6EF3EE544C34A
                                                                                                                Function 00007FF6E9991900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1911 7ff6e9991900-7ff6e9991989 call 7ff6e9991558 1914 7ff6e99919b4-7ff6e99919d1 1911->1914 1915 7ff6e999198b-7ff6e99919af call 7ff6e9991868 RaiseException 1911->1915 1917 7ff6e99919d3-7ff6e99919e4 1914->1917 1918 7ff6e99919e6-7ff6e99919ea 1914->1918 1923 7ff6e9991bb8-7ff6e9991bd5 1915->1923 1919 7ff6e99919ed-7ff6e99919f9 1917->1919 1918->1919 1921 7ff6e9991a1a-7ff6e9991a1d 1919->1921 1922 7ff6e99919fb-7ff6e9991a0d 1919->1922 1924 7ff6e9991a23-7ff6e9991a26 1921->1924 1925 7ff6e9991ac4-7ff6e9991acb 1921->1925 1931 7ff6e9991a13 1922->1931 1932 7ff6e9991b89-7ff6e9991b93 1922->1932 1929 7ff6e9991a28-7ff6e9991a3b 1924->1929 1930 7ff6e9991a3d-7ff6e9991a52 LoadLibraryExA 1924->1930 1927 7ff6e9991adf-7ff6e9991ae2 1925->1927 1928 7ff6e9991acd-7ff6e9991adc 1925->1928 1933 7ff6e9991b85 1927->1933 1934 7ff6e9991ae8-7ff6e9991aec 1927->1934 1928->1927 1929->1930 1936 7ff6e9991aa9-7ff6e9991ab2 1929->1936 1935 7ff6e9991a54-7ff6e9991a67 GetLastError 1930->1935 1930->1936 1931->1921 1943 7ff6e9991bb0 call 7ff6e9991868 1932->1943 1944 7ff6e9991b95-7ff6e9991ba6 1932->1944 1933->1932 1941 7ff6e9991aee-7ff6e9991af2 1934->1941 1942 7ff6e9991b1b-7ff6e9991b2e GetProcAddress 1934->1942 1945 7ff6e9991a7e-7ff6e9991aa4 call 7ff6e9991868 RaiseException 1935->1945 1946 7ff6e9991a69-7ff6e9991a7c 1935->1946 1937 7ff6e9991ab4-7ff6e9991ab7 FreeLibrary 1936->1937 1938 7ff6e9991abd 1936->1938 1937->1938 1938->1925 1941->1942 1949 7ff6e9991af4-7ff6e9991aff 1941->1949 1942->1933 1948 7ff6e9991b30-7ff6e9991b43 GetLastError 1942->1948 1951 7ff6e9991bb5 1943->1951 1944->1943 1945->1923 1946->1936 1946->1945 1953 7ff6e9991b45-7ff6e9991b58 1948->1953 1954 7ff6e9991b5a-7ff6e9991b81 call 7ff6e9991868 RaiseException call 7ff6e9991558 1948->1954 1949->1942 1955 7ff6e9991b01-7ff6e9991b08 1949->1955 1951->1923 1953->1933 1953->1954 1954->1933 1955->1942 1958 7ff6e9991b0a-7ff6e9991b0f 1955->1958 1958->1942 1961 7ff6e9991b11-7ff6e9991b19 1958->1961 1961->1933 1961->1942
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                                                • String ID: H
                                                                                                                • API String ID: 3432403771-2852464175
                                                                                                                • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                • Instruction ID: 9113c2d3a20ac900f70ca7070c6cbfa0c558f84b610a099ae60fa7f013d8f05e
                                                                                                                • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                • Instruction Fuzzy Hash: 18912733E05B528AEB24CF66D8403A823B1FF08B98F494535DE0E5775AEF79A445C309
                                                                                                                Function 00007FF6E998F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1989 7ff6e998f4e0-7ff6e998f523 1990 7ff6e998f894-7ff6e998f8b9 call 7ff6e9961fa0 call 7ff6e9992320 1989->1990 1991 7ff6e998f529-7ff6e998f565 call 7ff6e9993cf0 1989->1991 1997 7ff6e998f567 1991->1997 1998 7ff6e998f56a-7ff6e998f571 1991->1998 1997->1998 2000 7ff6e998f582-7ff6e998f586 1998->2000 2001 7ff6e998f573-7ff6e998f577 1998->2001 2004 7ff6e998f588 2000->2004 2005 7ff6e998f58b-7ff6e998f596 2000->2005 2002 7ff6e998f579 2001->2002 2003 7ff6e998f57c-7ff6e998f580 2001->2003 2002->2003 2003->2005 2004->2005 2006 7ff6e998f628 2005->2006 2007 7ff6e998f59c 2005->2007 2008 7ff6e998f62c-7ff6e998f62f 2006->2008 2009 7ff6e998f5a2-7ff6e998f5a9 2007->2009 2010 7ff6e998f631-7ff6e998f635 2008->2010 2011 7ff6e998f637-7ff6e998f63a 2008->2011 2012 7ff6e998f5ae-7ff6e998f5b3 2009->2012 2013 7ff6e998f5ab 2009->2013 2010->2011 2016 7ff6e998f660-7ff6e998f673 call 7ff6e99763ac 2010->2016 2011->2016 2017 7ff6e998f63c-7ff6e998f643 2011->2017 2014 7ff6e998f5e5-7ff6e998f5f0 2012->2014 2015 7ff6e998f5b5 2012->2015 2013->2012 2021 7ff6e998f5f2 2014->2021 2022 7ff6e998f5f5-7ff6e998f5fa 2014->2022 2018 7ff6e998f5ca-7ff6e998f5d0 2015->2018 2032 7ff6e998f675-7ff6e998f693 call 7ff6e99813c4 2016->2032 2033 7ff6e998f698-7ff6e998f6ed call 7ff6e999797c call 7ff6e996129c call 7ff6e99732a8 call 7ff6e9961fa0 2016->2033 2017->2016 2019 7ff6e998f645-7ff6e998f65c 2017->2019 2023 7ff6e998f5d2 2018->2023 2024 7ff6e998f5b7-7ff6e998f5be 2018->2024 2019->2016 2021->2022 2026 7ff6e998f600-7ff6e998f607 2022->2026 2027 7ff6e998f8ba-7ff6e998f8c1 2022->2027 2023->2014 2028 7ff6e998f5c0 2024->2028 2029 7ff6e998f5c3-7ff6e998f5c8 2024->2029 2034 7ff6e998f609 2026->2034 2035 7ff6e998f60c-7ff6e998f612 2026->2035 2030 7ff6e998f8c3 2027->2030 2031 7ff6e998f8c6-7ff6e998f8cb 2027->2031 2028->2029 2029->2018 2037 7ff6e998f5d4-7ff6e998f5db 2029->2037 2030->2031 2038 7ff6e998f8de-7ff6e998f8e6 2031->2038 2039 7ff6e998f8cd-7ff6e998f8d4 2031->2039 2032->2033 2056 7ff6e998f6ef-7ff6e998f73d call 7ff6e999797c call 7ff6e996129c call 7ff6e9975b60 call 7ff6e9961fa0 2033->2056 2057 7ff6e998f742-7ff6e998f74f ShellExecuteExW 2033->2057 2034->2035 2035->2027 2036 7ff6e998f618-7ff6e998f622 2035->2036 2036->2006 2036->2009 2042 7ff6e998f5e0 2037->2042 2043 7ff6e998f5dd 2037->2043 2046 7ff6e998f8e8 2038->2046 2047 7ff6e998f8eb-7ff6e998f8f6 2038->2047 2044 7ff6e998f8d6 2039->2044 2045 7ff6e998f8d9 2039->2045 2042->2014 2043->2042 2044->2045 2045->2038 2046->2047 2047->2008 2056->2057 2058 7ff6e998f755-7ff6e998f75f 2057->2058 2059 7ff6e998f846-7ff6e998f84e 2057->2059 2061 7ff6e998f76f-7ff6e998f772 2058->2061 2062 7ff6e998f761-7ff6e998f764 2058->2062 2064 7ff6e998f850-7ff6e998f866 2059->2064 2065 7ff6e998f882-7ff6e998f88f 2059->2065 2067 7ff6e998f78e-7ff6e998f7ad call 7ff6e99ce1b8 call 7ff6e998fe24 2061->2067 2068 7ff6e998f774-7ff6e998f77f call 7ff6e99ce188 2061->2068 2062->2061 2066 7ff6e998f766-7ff6e998f76d 2062->2066 2070 7ff6e998f868-7ff6e998f87b 2064->2070 2071 7ff6e998f87d call 7ff6e999220c 2064->2071 2065->1990 2066->2061 2072 7ff6e998f7e3-7ff6e998f7f0 CloseHandle 2066->2072 2067->2072 2097 7ff6e998f7af-7ff6e998f7b2 2067->2097 2068->2067 2088 7ff6e998f781-7ff6e998f78c ShowWindow 2068->2088 2070->2071 2076 7ff6e998f8fb-7ff6e998f903 call 7ff6e9997904 2070->2076 2071->2065 2078 7ff6e998f7f2-7ff6e998f803 call 7ff6e99813c4 2072->2078 2079 7ff6e998f805-7ff6e998f80c 2072->2079 2078->2079 2086 7ff6e998f82e-7ff6e998f830 2078->2086 2079->2086 2087 7ff6e998f80e-7ff6e998f811 2079->2087 2086->2059 2093 7ff6e998f832-7ff6e998f835 2086->2093 2087->2086 2092 7ff6e998f813-7ff6e998f828 2087->2092 2088->2067 2092->2086 2093->2059 2096 7ff6e998f837-7ff6e998f845 ShowWindow 2093->2096 2096->2059 2097->2072 2099 7ff6e998f7b4-7ff6e998f7c5 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff6e998f7c7-7ff6e998f7dc 2099->2100 2100->2072
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: .exe$.inf$Install$p
                                                                                                                • API String ID: 1054546013-3607691742
                                                                                                                • Opcode ID: ca10c692b0092673a70f825e0f7c38ef792e5221b25db3a1f8716acfce167973
                                                                                                                • Instruction ID: 9d001ccf771038aa536935d8b1f5860ffd1543e6e00583ffa9c29cef77b5701c
                                                                                                                • Opcode Fuzzy Hash: ca10c692b0092673a70f825e0f7c38ef792e5221b25db3a1f8716acfce167973
                                                                                                                • Instruction Fuzzy Hash: 75C17F63F18A0295FB24CF65D94037D23A1EF85B84F085039DA4EC76A6DF3EE495834A
                                                                                                                Function 00007FF6E998F0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3569833718-0
                                                                                                                • Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                • Instruction ID: b9e9e3dc7e4292dba3e5e70f22a2c8e94102f62ae83db57b651ef906ba709e39
                                                                                                                • Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                • Instruction Fuzzy Hash: 1A41A632B1464286F710CF71EC14BA93360EF45B98F481135DD0A4BB9ACF7EE4458759
                                                                                                                Function 00007FF6E996EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 2b7cf89fae77d1b38b76451e9b19ed7b8d05d4ba88469d1939a18fabe5b124cf
                                                                                                                • Instruction ID: b2f8cb912abf467c39d84d9ff4379986b2fe4fc946ee86bfd6e20d17b09e4368
                                                                                                                • Opcode Fuzzy Hash: 2b7cf89fae77d1b38b76451e9b19ed7b8d05d4ba88469d1939a18fabe5b124cf
                                                                                                                • Instruction Fuzzy Hash: FC12AE63B28B4185EA10CF65D4443BD2361EF457A8F440236DA5C97AEBDF3EE485C389
                                                                                                                Function 00007FF6E99724C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 3528 7ff6e99724c0-7ff6e99724fb 3529 7ff6e99724fd-7ff6e9972504 3528->3529 3530 7ff6e9972506 3528->3530 3529->3530 3531 7ff6e9972509-7ff6e9972578 3529->3531 3530->3531 3532 7ff6e997257d-7ff6e99725a8 CreateFileW 3531->3532 3533 7ff6e997257a 3531->3533 3534 7ff6e9972688-7ff6e997268d 3532->3534 3535 7ff6e99725ae-7ff6e99725de GetLastError call 7ff6e9976a0c 3532->3535 3533->3532 3536 7ff6e9972693-7ff6e9972697 3534->3536 3544 7ff6e997262c 3535->3544 3545 7ff6e99725e0-7ff6e997262a CreateFileW GetLastError 3535->3545 3538 7ff6e9972699-7ff6e997269c 3536->3538 3539 7ff6e99726a5-7ff6e99726a9 3536->3539 3538->3539 3541 7ff6e997269e 3538->3541 3542 7ff6e99726ab-7ff6e99726af 3539->3542 3543 7ff6e99726cf-7ff6e99726e3 3539->3543 3541->3539 3542->3543 3546 7ff6e99726b1-7ff6e99726c9 SetFileTime 3542->3546 3547 7ff6e997270c-7ff6e9972735 call 7ff6e9992320 3543->3547 3548 7ff6e99726e5-7ff6e99726f0 3543->3548 3549 7ff6e9972632-7ff6e997263a 3544->3549 3545->3549 3546->3543 3551 7ff6e9972708 3548->3551 3552 7ff6e99726f2-7ff6e99726fa 3548->3552 3553 7ff6e997263c-7ff6e9972653 3549->3553 3554 7ff6e9972673-7ff6e9972686 3549->3554 3551->3547 3556 7ff6e99726fc 3552->3556 3557 7ff6e99726ff-7ff6e9972703 call 7ff6e99620b0 3552->3557 3558 7ff6e9972655-7ff6e9972668 3553->3558 3559 7ff6e997266e call 7ff6e999220c 3553->3559 3554->3536 3556->3557 3557->3551 3558->3559 3562 7ff6e9972736-7ff6e997273b call 7ff6e9997904 3558->3562 3559->3554
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3536497005-0
                                                                                                                • Opcode ID: 19081f07b04ed34faab68774849f12bc4f8b326dabedcfb758f4ed5384e6b2c2
                                                                                                                • Instruction ID: 7a8e1fcb4805bf3017cb0131499bf67f54d4802eb97ef2b452eff2f2d11b5e9e
                                                                                                                • Opcode Fuzzy Hash: 19081f07b04ed34faab68774849f12bc4f8b326dabedcfb758f4ed5384e6b2c2
                                                                                                                • Instruction Fuzzy Hash: CE61E273A1868185E7208F29E50436E67B1FB847A8F140335DFAD43ADADF7ED0548709
                                                                                                                Function 00007FF6E998B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                                                • String ID: ]
                                                                                                                • API String ID: 3561356813-3352871620
                                                                                                                • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                • Instruction ID: 295eff288590d9d504dead1e7f858abb2e02842624c8beb504a863e76f8195e9
                                                                                                                • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                • Instruction Fuzzy Hash: B2116623B0D64242FA78DF63D6543795291AF88BC4F0C0038D96D87B9BDE2EE804870A
                                                                                                                Function 00007FF6E998AE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                • String ID:
                                                                                                                • API String ID: 1266772231-0
                                                                                                                • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                • Instruction ID: 0d267bab028070c5435dc0c11a5e9eb46da57c613e7fc7efab47062cf7bc7247
                                                                                                                • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                • Instruction Fuzzy Hash: 3FF03C27B3854292FB609F60EC95B362361FFA0704F885431E54F86856DF2ED518CB09
                                                                                                                Function 00007FF6E99891E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                • String ID: EDIT
                                                                                                                • API String ID: 4243998846-3080729518
                                                                                                                • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                • Instruction ID: f0be0dcd4610b5b784fa5b8a03ab32f047eecdb831703c05d17b57f8f9d47da1
                                                                                                                • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                • Instruction Fuzzy Hash: 16018123B19A8381FB349F21EC103B66390AFA9740F4C0035C94E8A696EE2EE149C759
                                                                                                                Function 00007FF6E9972CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 3838 7ff6e9972ce0-7ff6e9972d0a 3839 7ff6e9972d0c-7ff6e9972d0e 3838->3839 3840 7ff6e9972d13-7ff6e9972d1b 3838->3840 3841 7ff6e9972ea9-7ff6e9972ec4 call 7ff6e9992320 3839->3841 3842 7ff6e9972d1d-7ff6e9972d28 GetStdHandle 3840->3842 3843 7ff6e9972d2b 3840->3843 3842->3843 3845 7ff6e9972d31-7ff6e9972d3d 3843->3845 3847 7ff6e9972d86-7ff6e9972da2 WriteFile 3845->3847 3848 7ff6e9972d3f-7ff6e9972d44 3845->3848 3849 7ff6e9972da6-7ff6e9972da9 3847->3849 3850 7ff6e9972d46-7ff6e9972d7a WriteFile 3848->3850 3851 7ff6e9972daf-7ff6e9972db3 3848->3851 3849->3851 3852 7ff6e9972ea2-7ff6e9972ea6 3849->3852 3850->3849 3854 7ff6e9972d7c-7ff6e9972d82 3850->3854 3851->3852 3853 7ff6e9972db9-7ff6e9972dbd 3851->3853 3852->3841 3853->3852 3855 7ff6e9972dc3-7ff6e9972dd8 call 7ff6e996b4f8 3853->3855 3854->3850 3856 7ff6e9972d84 3854->3856 3859 7ff6e9972dda-7ff6e9972de1 3855->3859 3860 7ff6e9972e1e-7ff6e9972e6d call 7ff6e999797c call 7ff6e996129c call 7ff6e996bca8 3855->3860 3856->3849 3859->3845 3861 7ff6e9972de7-7ff6e9972de9 3859->3861 3860->3852 3871 7ff6e9972e6f-7ff6e9972e86 3860->3871 3861->3845 3864 7ff6e9972def-7ff6e9972e19 3861->3864 3864->3845 3872 7ff6e9972e9d call 7ff6e999220c 3871->3872 3873 7ff6e9972e88-7ff6e9972e9b 3871->3873 3872->3852 3873->3872 3874 7ff6e9972ec5-7ff6e9972ecb call 7ff6e9997904 3873->3874
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite$Handle
                                                                                                                • String ID:
                                                                                                                • API String ID: 4209713984-0
                                                                                                                • Opcode ID: 80d679962d8da8723b1dfdab07288302c85f97641ab732a3254a9a7b380aa9c3
                                                                                                                • Instruction ID: 831d2d4f5d87af0da66e4bb85995176cef7235f5e46c7cfa840ff1efa55c0cb0
                                                                                                                • Opcode Fuzzy Hash: 80d679962d8da8723b1dfdab07288302c85f97641ab732a3254a9a7b380aa9c3
                                                                                                                • Instruction Fuzzy Hash: 92510823B2954292EB108F25D84477E2360FF54B90F181131DA0D866D2DFBED485C30A
                                                                                                                Function 00007FF6E99903E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2912839123-0
                                                                                                                • Opcode ID: 6a828e286131a032937447b27f48723e1ed6b8eb847440d2fa50bfc5554fc421
                                                                                                                • Instruction ID: bfc6e3e7fa813561913c811ade1b29e84191d37e3cdc33d928bd660b6ea144cc
                                                                                                                • Opcode Fuzzy Hash: 6a828e286131a032937447b27f48723e1ed6b8eb847440d2fa50bfc5554fc421
                                                                                                                • Instruction Fuzzy Hash: E55181A3F1465288FB049FA5D8453BD2322AF45B94F480635DA2C9ABD7DF6ED440C34A
                                                                                                                Function 00007FF6E9973684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 2359106489-0
                                                                                                                • Opcode ID: 25b09b08149b20c8b4e07bd85b1a81093c04adcd4e8e53ff44e467d12699f09b
                                                                                                                • Instruction ID: c56690e35e705f7e8a39809bd904e165b577589d507cd0351f76ae7e467fb950
                                                                                                                • Opcode Fuzzy Hash: 25b09b08149b20c8b4e07bd85b1a81093c04adcd4e8e53ff44e467d12699f09b
                                                                                                                • Instruction Fuzzy Hash: 6C31D763E1C68251EA209F25B44637D6351FF887A0F580231EE9DC37D6EF3ED455860A
                                                                                                                Function 00007FF6E9992D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                • String ID:
                                                                                                                • API String ID: 1452418845-0
                                                                                                                • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                • Instruction ID: 42a5cb0f224ab7a9685c36f36adb7ab9640142f1036218ad80c84ba0a48a1f04
                                                                                                                • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                • Instruction Fuzzy Hash: D4311C23E0D2034AFA54AFA598523FD1391AF55384F4C1434D90ECB6D7DE2FA844825F
                                                                                                                Function 00007FF6E9972320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$FileHandleRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 2244327787-0
                                                                                                                • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                • Instruction ID: b922ae2cc89cce1edef0a687671fc471d39357c8e52b6f6834e0ec4ee9097609
                                                                                                                • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                • Instruction Fuzzy Hash: 55215323E2C65281EA605F11A40037D63A0FF45FA4F1C4531DA9DC66C6CFBED885877A
                                                                                                                Function 00007FF6E997E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E997ECD8: ResetEvent.KERNEL32 ref: 00007FF6E997ECF1
                                                                                                                  • Part of subcall function 00007FF6E997ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6E997ED07
                                                                                                                • ReleaseSemaphore.KERNEL32 ref: 00007FF6E997E974
                                                                                                                • CloseHandle.KERNELBASE ref: 00007FF6E997E993
                                                                                                                • DeleteCriticalSection.KERNEL32 ref: 00007FF6E997E9AA
                                                                                                                • CloseHandle.KERNEL32 ref: 00007FF6E997E9B7
                                                                                                                  • Part of subcall function 00007FF6E997EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E997E95F,?,?,?,00007FF6E997463A,?,?,?), ref: 00007FF6E997EA63
                                                                                                                  • Part of subcall function 00007FF6E997EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E997E95F,?,?,?,00007FF6E997463A,?,?,?), ref: 00007FF6E997EA6E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 502429940-0
                                                                                                                • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                • Instruction ID: 99f9bb707cacd175fe9c6cd479055767a3192a7e47404c462bf99dad7d954640
                                                                                                                • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                • Instruction Fuzzy Hash: AD01ED37A14A9192E648DF21E5443ADA321FF84B90F084031DB6E53666CF7AE4B5C749
                                                                                                                Function 00007FF6E997EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$CreatePriority
                                                                                                                • String ID: CreateThread failed
                                                                                                                • API String ID: 2610526550-3849766595
                                                                                                                • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                • Instruction ID: 565470b4b470c1987a60527aa49d6d9069a080d048b0f167f53064841cbd1b60
                                                                                                                • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                • Instruction Fuzzy Hash: 0B118F33A18A4281EB00DF21E8413A97760FF84794F5C4131DA5E8666AEF7EE581C749
                                                                                                                Function 00007FF6E998946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DirectoryInitializeMallocSystem
                                                                                                                • String ID: riched20.dll
                                                                                                                • API String ID: 174490985-3360196438
                                                                                                                • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                                                • Instruction ID: 83215e6dfd78ed5d62e48ba6c2835681bedaf87307b0584e856cb4c3d6324d26
                                                                                                                • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                                                • Instruction Fuzzy Hash: 72F04472618A4182EB10DF60F85436E73A0FF44754F480135E98E86756DF7DD559CB05
                                                                                                                Function 00007FF6E998095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E998853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6E998856C
                                                                                                                  • Part of subcall function 00007FF6E997AAE0: LoadStringW.USER32 ref: 00007FF6E997AB67
                                                                                                                  • Part of subcall function 00007FF6E997AAE0: LoadStringW.USER32 ref: 00007FF6E997AB80
                                                                                                                  • Part of subcall function 00007FF6E9961FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E9961FFB
                                                                                                                  • Part of subcall function 00007FF6E996129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E9961396
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E99901BB
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E99901C1
                                                                                                                • SendDlgItemMessageW.USER32 ref: 00007FF6E99901F2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 3106221260-0
                                                                                                                • Opcode ID: 8f1075e1628d8404eb0b8ff5fd078457097412357c837472e4b89e485d66000c
                                                                                                                • Instruction ID: 3530501d584b2b6c1b2372a9605fde5f6d2a13a28029a6889aecf4d30f240796
                                                                                                                • Opcode Fuzzy Hash: 8f1075e1628d8404eb0b8ff5fd078457097412357c837472e4b89e485d66000c
                                                                                                                • Instruction Fuzzy Hash: 7D51C063F156429AFB209FA5D4413FD2322AF85B88F480135DA1D9B7D7DE2DE540C389
                                                                                                                Function 00007FF6E9972134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 2272807158-0
                                                                                                                • Opcode ID: 4633aabe45209f1f9dd1ffe7955cd7619df91bc49ec48e97e2d646cf6da4e046
                                                                                                                • Instruction ID: d28cd7a96e08b2fdd68bf9730199cb64416ff0b9066c7345c2d6956bf902c7e5
                                                                                                                • Opcode Fuzzy Hash: 4633aabe45209f1f9dd1ffe7955cd7619df91bc49ec48e97e2d646cf6da4e046
                                                                                                                • Instruction Fuzzy Hash: 8241A073A1878186EA148F15E44436D63A1FF84BB4F185334DFAD43AD6CF7EE4908609
                                                                                                                Function 00007FF6E99623F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 2176759853-0
                                                                                                                • Opcode ID: 99f260cf01eacc222b7a5352e24814868a0cac877fcbd5e2c3ba6216c957fae9
                                                                                                                • Instruction ID: 408119aac525c025cb8385ca44d52ba1971f2fcb39936c08c1d21504f0a3e5e0
                                                                                                                • Opcode Fuzzy Hash: 99f260cf01eacc222b7a5352e24814868a0cac877fcbd5e2c3ba6216c957fae9
                                                                                                                • Instruction Fuzzy Hash: 55218473A28B8181EA148F65A84027EA364FF89BD0F185235EBDD43B96DF3DD150C745
                                                                                                                Function 00007FF6E9981F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: std::bad_alloc::bad_alloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 1875163511-0
                                                                                                                • Opcode ID: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
                                                                                                                • Instruction ID: 6003930d6582d407859f8d2e26ddb76b0768017c6a8cb6bc9b16bfbf8fec1d46
                                                                                                                • Opcode Fuzzy Hash: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
                                                                                                                • Instruction Fuzzy Hash: 50318F23A1968695FB399F14E4443BD63A0FF40B84F5C4036D24C866AADF6EE946C30B
                                                                                                                Function 00007FF6E9973D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1203560049-0
                                                                                                                • Opcode ID: 3b5c7dfba4016e6e243c7c3b7e225e8d3a84efcc83b0b2c8433822de01f77114
                                                                                                                • Instruction ID: ed596dff2507072305de4304063cc31e90c7f716682099a54a23fe02515b109d
                                                                                                                • Opcode Fuzzy Hash: 3b5c7dfba4016e6e243c7c3b7e225e8d3a84efcc83b0b2c8433822de01f77114
                                                                                                                • Instruction Fuzzy Hash: 4F21C863A1868282EA209F25F4453AD6361FF88B94F185230EE9D866D6EF3DD550C609
                                                                                                                Function 00007FF6E99731BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3118131910-0
                                                                                                                • Opcode ID: efdceb5f5ffab25265e5fdcae37b3fa604f3c5543451d082f18575ff986ab35b
                                                                                                                • Instruction ID: cb166c9cfd1c94bdd9581a0304e291fedd55a3de0b6657c571aff30176b1a0e0
                                                                                                                • Opcode Fuzzy Hash: efdceb5f5ffab25265e5fdcae37b3fa604f3c5543451d082f18575ff986ab35b
                                                                                                                • Instruction Fuzzy Hash: 67217133A1878181EA108F25F44536E6360FF88BD4F545230EE9E86AEADF2ED550C749
                                                                                                                Function 00007FF6E99732BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1203560049-0
                                                                                                                • Opcode ID: 4ae5ded5c3556da1f0d03c02a2ab6d15854b36abb35067c68a226e6d7cfb6ad4
                                                                                                                • Instruction ID: 013bff97a7783354e30e11cbcdf012a4b96d0c6f8a7158052c0169210254c83c
                                                                                                                • Opcode Fuzzy Hash: 4ae5ded5c3556da1f0d03c02a2ab6d15854b36abb35067c68a226e6d7cfb6ad4
                                                                                                                • Instruction Fuzzy Hash: 6A217773A1868181EA109F19F44536D6361FFC8BA4F540231EAAD837D6DF3DD550C619
                                                                                                                Function 00007FF6E999BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                • String ID:
                                                                                                                • API String ID: 1703294689-0
                                                                                                                • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                • Instruction ID: 6164b0c8ca70ac0c0ed1b6660730b3a52e39966737c30b8d00e32b0d15130dad
                                                                                                                • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                • Instruction Fuzzy Hash: 26E04F26F043054AEB546F3298953B92352AF89B42F184438D81E83397CEBFE849871A
                                                                                                                Function 00007FF6E996F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E996F895
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E996F89B
                                                                                                                  • Part of subcall function 00007FF6E9973EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6E9980811), ref: 00007FF6E9973EFD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                • String ID:
                                                                                                                • API String ID: 3587649625-0
                                                                                                                • Opcode ID: 523cfcae4ce27e4da1045e17439fd3e37f9321daedba48ff7041e95377e0fec7
                                                                                                                • Instruction ID: 2e50e403f914826fd65b4db6621d4ef446bb89f4056a50c0b507c9556f1e8ffd
                                                                                                                • Opcode Fuzzy Hash: 523cfcae4ce27e4da1045e17439fd3e37f9321daedba48ff7041e95377e0fec7
                                                                                                                • Instruction Fuzzy Hash: 4D91BE73A28A8194FB10DF24D4403AD6361FF84798F884135EA4D87AEBDF7AD585C385
                                                                                                                Function 00007FF6E9963904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: b7d18fcdb9ce11e94f0f8a2afa8545fe9f5a6d7038082b9b3b6f763717e9c5a1
                                                                                                                • Instruction ID: b02c23b0bcc9a66d8c3d6beece7738e074c18285c5f996618ae8c283076ce8b9
                                                                                                                • Opcode Fuzzy Hash: b7d18fcdb9ce11e94f0f8a2afa8545fe9f5a6d7038082b9b3b6f763717e9c5a1
                                                                                                                • Instruction Fuzzy Hash: 7741C063F2465288FB00DFB5D4413AD2720AF45B98F181235DE1DA7ADBDE3A9082C289
                                                                                                                Function 00007FF6E9972778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6E997274D), ref: 00007FF6E99728A9
                                                                                                                • GetLastError.KERNEL32(?,00007FF6E997274D), ref: 00007FF6E99728B8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 2976181284-0
                                                                                                                • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                • Instruction ID: b7675171b1ecc0939fc2ccbdf049726f5b42d45e2bae8c9c5a8faeaa2ab2af22
                                                                                                                • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                • Instruction Fuzzy Hash: 1B318223B29A5282FA604E2AD9407FD6390EF04BD4F1C1131DE5D877E2DEBFE4818646
                                                                                                                Function 00007FF6E99622BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1746051919-0
                                                                                                                • Opcode ID: 0d2cfb920ea231b6e9d51c7db040a15a52ec3b00ba863ec475c32ede1f66f479
                                                                                                                • Instruction ID: 5d0a48a865e99a95a02097072f699e613533cdade451f65a9d0d6577c9ec9a32
                                                                                                                • Opcode Fuzzy Hash: 0d2cfb920ea231b6e9d51c7db040a15a52ec3b00ba863ec475c32ede1f66f479
                                                                                                                • Instruction Fuzzy Hash: 6E31C123A2874186EA108F15E44536E7360EF84B90F484235EB9C87B97DF3DE040C749
                                                                                                                Function 00007FF6E9972AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$BuffersFlushTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 1392018926-0
                                                                                                                • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                • Instruction ID: 1cb7615cd20c710ff69fafa80b40c95b97a7587cbbba9e0e18891b82dd7b4721
                                                                                                                • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                • Instruction Fuzzy Hash: 1621B223F19B5251EA628F62E4047BE6790AF02794F1D4431DE4C462E6EE7ED586C20A
                                                                                                                Function 00007FF6E997AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LoadString
                                                                                                                • String ID:
                                                                                                                • API String ID: 2948472770-0
                                                                                                                • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                • Instruction ID: 169d8fd1f78cf30ac39f65ec43e0034fe22566e303df4c0336e022bc3f6591a1
                                                                                                                • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                • Instruction Fuzzy Hash: B61149A2B0964186EA008F16AC8426977A1BF98FC0F5C4535DA0DDB762DF7DE541838E
                                                                                                                Function 00007FF6E9972BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 2976181284-0
                                                                                                                • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                • Instruction ID: ad791548fa59e81c4491c876d2a17836f805ceddae8eddd3267700112c64cb2d
                                                                                                                • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                • Instruction Fuzzy Hash: E6119022A2864181EB608F25E84137D6760EF55BA4F6C0331DA7D862D6DF7ED592C306
                                                                                                                Function 00007FF6E996255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemRectTextWindow$Clientswprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 3322643685-0
                                                                                                                • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                • Instruction ID: c8601caa790491e7021f3a39f2879476d40f24db404ddd00096301e8e710c44f
                                                                                                                • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                • Instruction Fuzzy Hash: AA015E62A2934A41FF695F52A4583795391AF85784F0C0475DC4DCA2DBDE2EE884C34E
                                                                                                                Function 00007FF6E997EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6E997EBAD,?,?,?,?,00007FF6E9975752,?,?,?,00007FF6E99756DE), ref: 00007FF6E997EB5C
                                                                                                                • GetProcessAffinityMask.KERNEL32 ref: 00007FF6E997EB6F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$AffinityCurrentMask
                                                                                                                • String ID:
                                                                                                                • API String ID: 1231390398-0
                                                                                                                • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                • Instruction ID: 0bc82184554e7b76f8f0bf40cd4323cddf41bae23aa08602f4468f4b7c098355
                                                                                                                • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                • Instruction Fuzzy Hash: F5E02B62F1454682DF488FA7C4406E97392FFC8B40B8C8035D60BC3615EE2DE1458B05
                                                                                                                Function 00007FF6E99921D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 1173176844-0
                                                                                                                • Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
                                                                                                                • Instruction ID: 46b6556415e95399ad8f0c59c6e0308b2b2d7b26a406817091ad96072fec3524
                                                                                                                • Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
                                                                                                                • Instruction Fuzzy Hash: BEE0EC42E1A1074DFD682A6519253BC00544F29774E1C1730DA3EC82C3AD1EB4E1815A
                                                                                                                Function 00007FF6E999D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 485612231-0
                                                                                                                • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                • Instruction ID: 199f550aab7959d9f626510be76cdec220346d0d4a91f9f142c10490fd9ca824
                                                                                                                • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                • Instruction Fuzzy Hash: F6E0E662E0A6034AFF156FF258853B512D19F98751B0C5034D91DC7253DE2E9495861A
                                                                                                                Function 00007FF6E99633E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: bdaa18dae508da685624d0d3084e6df67f72227f0a50523269ad36915424c154
                                                                                                                • Instruction ID: 998ba466a34cf185390f53692de4ed2aba904522e0391e3e8a80d47e854159b3
                                                                                                                • Opcode Fuzzy Hash: bdaa18dae508da685624d0d3084e6df67f72227f0a50523269ad36915424c154
                                                                                                                • Instruction Fuzzy Hash: D2D19573B1868256EB288F2596413B96BA5FF05B84F084035CE1D877A7CF3EE460C386
                                                                                                                Function 00007FF6E9975294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1017591355-0
                                                                                                                • Opcode ID: fe83b5f940341ca116520553916a602459c71814f9bb651f89fc5e1609d61f08
                                                                                                                • Instruction ID: c92c0cd51b2c7dc499626fe9447bb34eaf436561748fe45c51168d367e8b99e6
                                                                                                                • Opcode Fuzzy Hash: fe83b5f940341ca116520553916a602459c71814f9bb651f89fc5e1609d61f08
                                                                                                                • Instruction Fuzzy Hash: 4A610313E0C64781FAA49F25881437E5291AF48BD4F1C4135EE4DC6AD7EE6EE880822F
                                                                                                                Function 00007FF6E9981870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E997E948: ReleaseSemaphore.KERNEL32 ref: 00007FF6E997E974
                                                                                                                  • Part of subcall function 00007FF6E997E948: CloseHandle.KERNELBASE ref: 00007FF6E997E993
                                                                                                                  • Part of subcall function 00007FF6E997E948: DeleteCriticalSection.KERNEL32 ref: 00007FF6E997E9AA
                                                                                                                  • Part of subcall function 00007FF6E997E948: CloseHandle.KERNEL32 ref: 00007FF6E997E9B7
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E9981ACB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 904680172-0
                                                                                                                • Opcode ID: 7505b5341520eded39e51a109fac183586022765dd0b74e91cbb46e86dd1eeb5
                                                                                                                • Instruction ID: f9937d52243ab067085f4457a50a7997d21c00f84ac248a9d1ceb2c0950d558e
                                                                                                                • Opcode Fuzzy Hash: 7505b5341520eded39e51a109fac183586022765dd0b74e91cbb46e86dd1eeb5
                                                                                                                • Instruction Fuzzy Hash: E661BF63B16A85A6EE2CCF65D5542BC7365FF40F90B184536E72D87AC3CF2AE4608309
                                                                                                                Function 00007FF6E996EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 2bd8eecad87c1f819bb1df95e90c6055fb2d52ef6a4826594ea1222993916d26
                                                                                                                • Instruction ID: f066a8ed6f3bbb7e5dde4ebacbd8a366cd69ff0e4178546515dccdf574c0750a
                                                                                                                • Opcode Fuzzy Hash: 2bd8eecad87c1f819bb1df95e90c6055fb2d52ef6a4826594ea1222993916d26
                                                                                                                • Instruction Fuzzy Hash: 5151FF63A1868281EA119F65A4453AD2751EF95BC4F4C0132EE8D873D7CE3EE4A5C389
                                                                                                                Function 00007FF6E996E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E9973EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6E9980811), ref: 00007FF6E9973EFD
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E996E993
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1011579015-0
                                                                                                                • Opcode ID: 01fc3a34611ceffdc41415965cd615ee03a8df2eb66c7c19820eeaa0a49a7534
                                                                                                                • Instruction ID: f8d543dfa78586308597b650320284009d6c5bd75642e767a7e1eb8408474b22
                                                                                                                • Opcode Fuzzy Hash: 01fc3a34611ceffdc41415965cd615ee03a8df2eb66c7c19820eeaa0a49a7534
                                                                                                                • Instruction Fuzzy Hash: 62518123A2868681FB608F65E44537D2361FF85BC4F480132EA4D876A7DF2ED451C35A
                                                                                                                Function 00007FF6E9971794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 50c7f6866f78bc555d00c39fbf85de59e47fa009de7d1ee3a17a4bb0e61fbff3
                                                                                                                • Instruction ID: e8df98514cf1d402ef36b5be74dedf86fd2e751c92c2f0eebaebb3cdcf8db33e
                                                                                                                • Opcode Fuzzy Hash: 50c7f6866f78bc555d00c39fbf85de59e47fa009de7d1ee3a17a4bb0e61fbff3
                                                                                                                • Instruction Fuzzy Hash: 4141D763B18A8142EA249E17A6403B9A251FF84FC0F4C8535EE4C87F9BDF3DD4928304
                                                                                                                Function 00007FF6E9972F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 628d8687d64302939e4d23947fbdc881fe9b8ad1275f709a097da27502e78629
                                                                                                                • Instruction ID: b6eb78918eddf920c6f1ceb69ac72a2a3621669c62e05238dc0abbfa63299b6e
                                                                                                                • Opcode Fuzzy Hash: 628d8687d64302939e4d23947fbdc881fe9b8ad1275f709a097da27502e78629
                                                                                                                • Instruction Fuzzy Hash: 0F41D063A18B0280EE149F29E54637D23A1EF85BD8F181134EE5D876EBDF3EE450C649
                                                                                                                Function 00007FF6E999BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                • String ID:
                                                                                                                • API String ID: 3947729631-0
                                                                                                                • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                • Instruction ID: 354462c13aec376d095b614316c43b207629cfa89ce2735bdb21e4dca598b337
                                                                                                                • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                • Instruction Fuzzy Hash: 0141D423E186168BFB549F5298503782261EF64B84F4C4436DA0DC76A3DF7FE841C78A
                                                                                                                Function 00007FF6E996129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 680105476-0
                                                                                                                • Opcode ID: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
                                                                                                                • Instruction ID: 7ac7079b1910ca036b14a1793618faa6895a2686292f089471f4cdebfd2c909c
                                                                                                                • Opcode Fuzzy Hash: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
                                                                                                                • Instruction Fuzzy Hash: BF217C23A1975185EA249E92A5003796250AF04BF0F6C0B35DE7E87BD3DE7EE051C38A
                                                                                                                Function 00007FF6E9962C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: fb840d9647ab0cc3a78d99d275da67472287db788fd11e61fb78e56b1f0afad7
                                                                                                                • Instruction ID: 13eaf68aaad7f278f22e46c53a87286806a7f3cbf95f944bad92c32430af055d
                                                                                                                • Opcode Fuzzy Hash: fb840d9647ab0cc3a78d99d275da67472287db788fd11e61fb78e56b1f0afad7
                                                                                                                • Instruction Fuzzy Hash: 33214C23B28586A2EA08DF21D5553FC6324FF45784F984431E71D876A3CF7EA4A4C34A
                                                                                                                Function 00007FF6E99A124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID:
                                                                                                                • API String ID: 3215553584-0
                                                                                                                • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                • Instruction ID: d9cfec5375a48c364b99159a402b8dbb4ebbc9ab7d3e80eb6b2e5c297e58f0dd
                                                                                                                • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                • Instruction Fuzzy Hash: 98114C33E1C642C6F7209F51A880779A6A5FF40388F5D0935EA8DC7697DF6EE850870A
                                                                                                                Function 00007FF6E998FC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: GetDlgItem.USER32 ref: 00007FF6E998F0E3
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: ShowWindow.USER32 ref: 00007FF6E998F109
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F11E
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F136
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F157
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F173
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F1B6
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F1D4
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F1E8
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F212
                                                                                                                  • Part of subcall function 00007FF6E998F0A4: SendMessageW.USER32 ref: 00007FF6E998F22A
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E998FD03
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1587882848-0
                                                                                                                • Opcode ID: 63eea4653700729b6f0165d399898a2d854dc8dec5165f17967af7d1785d552d
                                                                                                                • Instruction ID: ae4dff5fac8190239ea3cb7ac3b482911529d677b6f74f30487b4bcd5bc0511a
                                                                                                                • Opcode Fuzzy Hash: 63eea4653700729b6f0165d399898a2d854dc8dec5165f17967af7d1785d552d
                                                                                                                • Instruction Fuzzy Hash: 85012663A2868542ED249F25D04A37E6311EFC9794F141335EB9C8ABDBEF2DE180C609
                                                                                                                Function 00007FF6E9963AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 69957ef0d3d2f58a7dead33f72e43e67ea7fb9c623eb1e5576ce27618050ff46
                                                                                                                • Instruction ID: 3d5e487bc095b6f6098d63d3727ac9777c2c86f29f9a930b30c92d4ef933d7a9
                                                                                                                • Opcode Fuzzy Hash: 69957ef0d3d2f58a7dead33f72e43e67ea7fb9c623eb1e5576ce27618050ff46
                                                                                                                • Instruction Fuzzy Hash: D401C463E2868541EA119F29E44637D7361FFC97A0F885231EA9C47AA7DF2ED040C74D
                                                                                                                Function 00007FF6E9991558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E9991604: GetModuleHandleW.KERNEL32(?,?,?,00007FF6E9991573,?,?,?,00007FF6E999192A), ref: 00007FF6E999162B
                                                                                                                • DloadProtectSection.DELAYIMP ref: 00007FF6E99915C9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DloadHandleModuleProtectSection
                                                                                                                • String ID:
                                                                                                                • API String ID: 2883838935-0
                                                                                                                • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                • Instruction ID: 5956adb56aab8a42a7ac978f01c3317159aa4aec95c21692f5889c2383945ef3
                                                                                                                • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                • Instruction Fuzzy Hash: 5311BA63D0C64785FB659F06AC403B023A0BF58349F5E0074C90DCA2A3EEBEB895861B
                                                                                                                Function 00007FF6E9973EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E99740BC: FindFirstFileW.KERNELBASE ref: 00007FF6E997410B
                                                                                                                  • Part of subcall function 00007FF6E99740BC: FindFirstFileW.KERNELBASE ref: 00007FF6E997415E
                                                                                                                  • Part of subcall function 00007FF6E99740BC: GetLastError.KERNEL32 ref: 00007FF6E99741AF
                                                                                                                • FindClose.KERNELBASE(?,?,00000000,00007FF6E9980811), ref: 00007FF6E9973EFD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 1464966427-0
                                                                                                                • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                • Instruction ID: 3e32efc9407972aa5794498430e12f8902f413cc06fe903c9e143b226ae361c1
                                                                                                                • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                • Instruction Fuzzy Hash: FFF08163A0824285EA109F75A5023B937609F15BB4F581334EE3D472C7CE2AD454875A
                                                                                                                Function 00007FF6E997273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File
                                                                                                                • String ID:
                                                                                                                • API String ID: 749574446-0
                                                                                                                • Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                • Instruction ID: 89de7a1a3181a0621853d4b86904151adb4d54531605d8195e1de3f06e479875
                                                                                                                • Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                • Instruction Fuzzy Hash: 10E08C23E2052582EB24AF2BCC427A85360EF88B85F4C1030CE0C87362CE2ED4918A09
                                                                                                                Function 00007FF6E9972490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileType
                                                                                                                • String ID:
                                                                                                                • API String ID: 3081899298-0
                                                                                                                • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                • Instruction ID: 87e67d3078c22303132aabebf6329bd24fa293982792df299198f85366d62634
                                                                                                                • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                • Instruction Fuzzy Hash: 9FD02223D0980083DD008B36988217C2320AF86334FA80330C23EC12E3CE5E9096A30A
                                                                                                                Function 00007FF6E9977FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory
                                                                                                                • String ID:
                                                                                                                • API String ID: 1611563598-0
                                                                                                                • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                • Instruction ID: 35472ba7ada17a354928cbe4b761dd936a61a6525932e63c4e1f7449fcc2b112
                                                                                                                • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                • Instruction Fuzzy Hash: 84C08C22F05502C1DA085F26CCC926813A4FF40B04B684034C10CC1160CE2EC8FA934E
                                                                                                                Function 00007FF6E999FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 4292702814-0
                                                                                                                • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                • Instruction ID: 9430948c5c5a21012ab63d9e6dcc033b5676e5385707c3732a244c37113f05cc
                                                                                                                • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                • Instruction Fuzzy Hash: 3AF04452B0A6074DFE545F6699513B492949F88B84F4C5430C90ECA3C3FE2EEAC1422A
                                                                                                                Function 00007FF6E999D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 4292702814-0
                                                                                                                • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                • Instruction ID: 8dbd2820c39a563068eae91f1c7bbd0a71991b27ff56b87edbbb038d8c469af9
                                                                                                                • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                • Instruction Fuzzy Hash: D0F05817F0A34748FF166FBA58803B416905F847A2F4C1630E92EC73C3DE2EA480821A
                                                                                                                Function 00007FF6E99720D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 2962429428-0
                                                                                                                • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                • Instruction ID: 584719a17dd3c783d44704f1565266e099e9880537942e8b1af720c14c98f1c6
                                                                                                                • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                • Instruction Fuzzy Hash: C6F08C23A1868285FF248F20E4413B926A0EF14BB8F5D4334D73C851D6DE69D8D5830A

                                                                                                                Non-executed Functions

                                                                                                                Function 00007FF6E996C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                • API String ID: 2659423929-3508440684
                                                                                                                • Opcode ID: 617167dcf46b11c562794b4ee206f141bcd85eb54b840ba4594782cdbbce52c8
                                                                                                                • Instruction ID: 5b369dbca8951f7b8fa1cc2ae32ad0d97b08b86cc279344daf1fe60c249dc645
                                                                                                                • Opcode Fuzzy Hash: 617167dcf46b11c562794b4ee206f141bcd85eb54b840ba4594782cdbbce52c8
                                                                                                                • Instruction Fuzzy Hash: 8762AE63F2864285FB009F75D4443AD2361EF857A8F584231EA6C97ADBEE3DE184C349
                                                                                                                Function 00007FF6E997F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                • String ID: %ls$%s: %s
                                                                                                                • API String ID: 2539828978-2259941744
                                                                                                                • Opcode ID: 76a0abb78ac0473acb837b08a420a3aaff51d3c31d4af88306e7b82622e5a8c2
                                                                                                                • Instruction ID: 901f6baa1a26bfa5b2ee12d812a3022078e88ed1525a70011dc3ec2ccbcb4c68
                                                                                                                • Opcode Fuzzy Hash: 76a0abb78ac0473acb837b08a420a3aaff51d3c31d4af88306e7b82622e5a8c2
                                                                                                                • Instruction Fuzzy Hash: 5FB2C963A5868241EA249F26D4553BE6311FFC97D0F184336E69D87BEBEE2DD140C30A
                                                                                                                Function 00007FF6E99A2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                • API String ID: 1759834784-2761157908
                                                                                                                • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                • Instruction ID: a9a5d9635e0aaba91ca585b4b5fbdeb036ec1214d2b9789f05031d403d60861a
                                                                                                                • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                • Instruction Fuzzy Hash: D3B2F373E082828BE7258E69D4417FD37A1FF84788F185135DE0A97B86DF7AE9048B05
                                                                                                                Function 00007FF6E9971A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                                                • String ID: rtmp
                                                                                                                • API String ID: 3587137053-870060881
                                                                                                                • Opcode ID: daf468590969a9bb0c1bd78ae2e53dc7e5858e179e50b5fea0acf6ddbd62b289
                                                                                                                • Instruction ID: f71388146d112e55f192c019389c01975871729a5a9c95ade1ca97ea1ef6d076
                                                                                                                • Opcode Fuzzy Hash: daf468590969a9bb0c1bd78ae2e53dc7e5858e179e50b5fea0acf6ddbd62b289
                                                                                                                • Instruction Fuzzy Hash: 18F1D023B18A4286EB20CF65D4802FD6761FF95784F580532EA4D83AEADF3DE584C749
                                                                                                                Function 00007FF6E9975B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 1693479884-0
                                                                                                                • Opcode ID: eb320a448f2f5b685a05a21c57fd524cc8e4434a836e962e5226f9c8e5b08568
                                                                                                                • Instruction ID: 95e0d0342509a77ac6999d06a41ecdd6188da9a05b52f55b4d60dbe01c7eb935
                                                                                                                • Opcode Fuzzy Hash: eb320a448f2f5b685a05a21c57fd524cc8e4434a836e962e5226f9c8e5b08568
                                                                                                                • Instruction Fuzzy Hash: 36A1A363F14A5184FE508F7998443BC2321AF95BE4B184235DE2D97BDADE3EE081C20A
                                                                                                                Function 00007FF6E9993170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 3140674995-0
                                                                                                                • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                • Instruction ID: aa7249711d6641ca1fba554cffdb0658ddbb8daf52ba1751b0dace908400706a
                                                                                                                • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                • Instruction Fuzzy Hash: B7316E73A08B818AEB608F65E8503ED7360FF84748F48443ADA4D87A99DF7DD548C715
                                                                                                                Function 00007FF6E99976D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 1239891234-0
                                                                                                                • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                • Instruction ID: 9bb5e4eda408b3f1a6dadc0dd4fef24c3cfd92c234ccc2e36725e8c23dd24aad
                                                                                                                • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                • Instruction Fuzzy Hash: 7C316D33A08B8199EB608F25E8403EE73A4FB84758F580135EA9D83B9ADF3DC555CB05
                                                                                                                Function 00007FF6E9961AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668304517-0
                                                                                                                • Opcode ID: 9edba9425319f61c263b429ec5f6a673cda7c500d94d2f9d5135e37ac7397f0d
                                                                                                                • Instruction ID: c7fa3183c60d0c5dc0c4d69ce230d6ba2c14d73d744573d47913265051729d52
                                                                                                                • Opcode Fuzzy Hash: 9edba9425319f61c263b429ec5f6a673cda7c500d94d2f9d5135e37ac7397f0d
                                                                                                                • Instruction Fuzzy Hash: 63B1D063B2468686EB209F65D8443ED2361FF85784F485232EA4D87B9BDF3DE540C349
                                                                                                                Function 00007FF6E999FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E999FAC4
                                                                                                                  • Part of subcall function 00007FF6E9997934: GetCurrentProcess.KERNEL32(00007FF6E99A0CCD), ref: 00007FF6E9997961
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                • String ID: *?$.
                                                                                                                • API String ID: 2518042432-3972193922
                                                                                                                • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                • Instruction ID: 773e4d2fee3fe7b2da891f6ad0a005cffd626149d2dfff71bf0d196c9ef983e8
                                                                                                                • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                • Instruction Fuzzy Hash: 36510563B15B9549EF10DFA298102B8A7A4FF48BD8B488131DE1D57B86EE3ED4828305
                                                                                                                Function 00007FF6E99A2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 1502251526-0
                                                                                                                • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                • Instruction ID: 3ed9a76db44e7931fdc88097d2fd5043941f95be7a0b4abeb948770fa1775ac3
                                                                                                                • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                • Instruction Fuzzy Hash: D9D1A133B1868687DB24CF15A1847AEB7A1FB98784F188134DB4E97B45DE7DE8418B04
                                                                                                                Function 00007FF6E996B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 1365068426-0
                                                                                                                • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                • Instruction ID: e13a8fd8ed58427aafde87f43e3fdb7609ccc3149944bfd8fd9893568025097d
                                                                                                                • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                • Instruction Fuzzy Hash: 1401FF72A1C74282E7109F26B8502BEA3A5FF89BC1F4C4034EA9E87B46DE3DD515C749
                                                                                                                Function 00007FF6E999FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: .
                                                                                                                • API String ID: 0-248832578
                                                                                                                • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                • Instruction ID: 005ffdd755c51ea2d8f6bd9ef098a5439e31e9fc16e711fdedf0010ac3fadb50
                                                                                                                • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                • Instruction Fuzzy Hash: A4312A23B0869149F7208E6698057B9BA91EF58BE4F0C8234DE6C87BC7DE3DD9418304
                                                                                                                Function 00007FF6E99A5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionRaise_clrfp
                                                                                                                • String ID:
                                                                                                                • API String ID: 15204871-0
                                                                                                                • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                • Instruction ID: f1934ad81448e93e13754b2003dd361ba15ec30fcb0fc0fc824ce91a1af0554e
                                                                                                                • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                • Instruction Fuzzy Hash: 03B16C73A10B898BEB15CF29C84636C3BB0FB44B48F198921DA5D877A9CF7AD451C706
                                                                                                                Function 00007FF6E9988DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ObjectRelease$CapsDevice
                                                                                                                • String ID:
                                                                                                                • API String ID: 1061551593-0
                                                                                                                • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                • Instruction ID: 84f508c16392e361730d2a6e160c191362c9b8872f60b1733bfbb34245295280
                                                                                                                • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                • Instruction Fuzzy Hash: 1A813633B18A0586EB24DF6AE8406AC7371FB88B88F044126DE1D97B25DF7ED545C385
                                                                                                                Function 00007FF6E998A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FormatInfoLocaleNumber
                                                                                                                • String ID:
                                                                                                                • API String ID: 2169056816-0
                                                                                                                • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                • Instruction ID: 99e0da79e07940ea9f935b1263a2c218422957a6577b358c22f17e4a2456e28a
                                                                                                                • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                • Instruction Fuzzy Hash: 3B116D33A18B8196E7618F11E8103E97364FF88B84F884135DA4D87669EF3DD145C74A
                                                                                                                Function 00007FF6E997126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E99724C0: CreateFileW.KERNELBASE ref: 00007FF6E997259B
                                                                                                                  • Part of subcall function 00007FF6E99724C0: GetLastError.KERNEL32 ref: 00007FF6E99725AE
                                                                                                                  • Part of subcall function 00007FF6E99724C0: CreateFileW.KERNEL32 ref: 00007FF6E997260E
                                                                                                                  • Part of subcall function 00007FF6E99724C0: GetLastError.KERNEL32 ref: 00007FF6E9972617
                                                                                                                • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6E99715D0
                                                                                                                  • Part of subcall function 00007FF6E9973980: MoveFileW.KERNEL32 ref: 00007FF6E99739BD
                                                                                                                  • Part of subcall function 00007FF6E9973980: MoveFileW.KERNEL32 ref: 00007FF6E9973A34
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 34527147-0
                                                                                                                • Opcode ID: 896880a4b3967c3554a0c40650d434abbdec4492289e3c73b9c9ffb2f43eb910
                                                                                                                • Instruction ID: 79be7d489bd92877c8be803188955784874d91b4d675b465632576e4b98a279a
                                                                                                                • Opcode Fuzzy Hash: 896880a4b3967c3554a0c40650d434abbdec4492289e3c73b9c9ffb2f43eb910
                                                                                                                • Instruction Fuzzy Hash: AC91AB23B28A4282EB20DF66D4443AE6361FF94BC4F484032EE0D87B96DE3ED545C359
                                                                                                                Function 00007FF6E9974EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Version
                                                                                                                • String ID:
                                                                                                                • API String ID: 1889659487-0
                                                                                                                • Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                • Instruction ID: e0e0348754423f268521e988690176a4186057b69a3b911862619ebd3b068f7a
                                                                                                                • Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                • Instruction Fuzzy Hash: 5E01A273A4D98289FB718F20A8153B623919FA9305F4C0534C59C863E3CF3EA0488A1E
                                                                                                                Function 00007FF6E9998C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 3215553584-4108050209
                                                                                                                • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                • Instruction ID: 6b967889607a55e0eae45b8badd59adfa1f2d8c26c74eff0b06d23d15d711792
                                                                                                                • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                • Instruction Fuzzy Hash: 4A81C423A181424FFBA89E2680407FD22B1EF65748F5C1539DD09D7A97CF2FE846C64A
                                                                                                                Function 00007FF6E99989A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 3215553584-4108050209
                                                                                                                • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                • Instruction ID: 654d57fbc76ebb932f5ac4b417b3b7f0105874b9ea32004bb9c34e2f8b642afc
                                                                                                                • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                • Instruction Fuzzy Hash: 7C71B263A0D2424EFA688E2B90403FD23B19F45744F1C1939DD0AC7697CE2FE846874B
                                                                                                                Function 00007FF6E997C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: gj
                                                                                                                • API String ID: 0-4203073231
                                                                                                                • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                • Instruction ID: 7b05cae23a4759ac599490e8453f9fb55831f8166579128d10c085a3b2b0265b
                                                                                                                • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                • Instruction Fuzzy Hash: 7451AF37B286908BD764CF25E400A9A73A5F788798F045126EF4A93B09DF39E945CF40
                                                                                                                Function 00007FF6E999C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                • Instruction ID: 2f3e1cb2669109dfeb31bbb51e0fb6be2fa00148403640e74b2fc013211a96e8
                                                                                                                • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                • Instruction Fuzzy Hash: 5D41BD63714A448AEA44CF2AE9582A973A1BB58FD0B4D9036EE0D877A5EE3DD442C344
                                                                                                                Function 00007FF6E99A0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 54951025-0
                                                                                                                • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                • Instruction ID: f099432d2cdb3a25483379e3fa9984fb5d669eb93c5254922cddcf23a4caa666
                                                                                                                • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                • Instruction Fuzzy Hash: D0B09231E17A02C2EA082F126C8239422A8FF48700F999078C10C81321DE2E20A54716
                                                                                                                Function 00007FF6E9983964 Relevance: .9, Instructions: 931COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                • Instruction ID: 01a41c4d64732a427155470dee98bf6e967e2775d0b4b3caee357507492f25cf
                                                                                                                • Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                • Instruction Fuzzy Hash: 7882F1A3A096C186D729CF28D4142BC7BA1EF55B88F1D813ADE4E87386DE3ED445C316
                                                                                                                Function 00007FF6E99676C0 Relevance: .9, Instructions: 893COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                • Instruction ID: 86f2de7b3609ae86c79f9bb7fda3a6ebd9abdbf096e3a10a7029e9dca3c5419f
                                                                                                                • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                • Instruction Fuzzy Hash: EA626D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                                                Function 00007FF6E99853F0 Relevance: .9, Instructions: 891COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                • Instruction ID: 9b88c5f473a0674f1a5eb15277d42d8c91f6c524c5e8bba932c22090a2c2ecad
                                                                                                                • Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                • Instruction Fuzzy Hash: E08201B3A096C18AD729CE24D4447FC7B61FB55B48F08817ACA4D8778ACE3ED489C716
                                                                                                                Function 00007FF6E997BB90 Relevance: .6, Instructions: 587COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                • Instruction ID: 91d5ce0994a0897bfd7839c438621ba1b4a4fb504f1d6368d1ce13803b7cec5a
                                                                                                                • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                • Instruction Fuzzy Hash: B222F3B3B206508BD728CF25D89AA5E3766F798744B4B8228DF0ACB785DF39D505CB40
                                                                                                                Function 00007FF6E9984B98 Relevance: .6, Instructions: 578COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                • Instruction ID: 42ca3a6464d3dcefc867775ace78a46c7ab93fd80ec03e613ab99500d8a4e779
                                                                                                                • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                • Instruction Fuzzy Hash: C232BE73A041918BE72C8F24D550BBC37A1FB54B48F098139DA4A87B8ADF3DE865C745
                                                                                                                Function 00007FF6E9967288 Relevance: .3, Instructions: 294COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                • Instruction ID: 9a4de702202edd5aa9ad9e851c666bbcd2cb31580cb2626cad54da07f258e394
                                                                                                                • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                • Instruction Fuzzy Hash: A8C19CB7B281908FE350CF7AE400A9D3BB1F39878CB559125DF59A3B09D639E645CB40
                                                                                                                Function 00007FF6E9982D58 Relevance: .3, Instructions: 268COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                • Instruction ID: fe42587069cb7abbf9287378937d7c38aff1bddb9fcb43dc46b675a727928f91
                                                                                                                • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                • Instruction Fuzzy Hash: 2DA10373A0818246EB29CE24D4457BD2792EFA0784F5D4539DE4E87787CE3EE881C31A
                                                                                                                Function 00007FF6E997AF18 Relevance: .2, Instructions: 244COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                • Instruction ID: 97f6105e89ca2439f9cce49844c2c2c5553f4c52b5e9733d503f7c051972eb9d
                                                                                                                • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                • Instruction Fuzzy Hash: A0C10673A291E04DE302CFB5A4248FD3FF1E71E34DB4A4152EF9666B4ADA295201DF60
                                                                                                                Function 00007FF6E996A310 Relevance: .2, Instructions: 230COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc
                                                                                                                • String ID:
                                                                                                                • API String ID: 190572456-0
                                                                                                                • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                • Instruction ID: b41247bdb06977f1530140d48fab01b38085a2e935869bf84b67f2b2a1976098
                                                                                                                • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                • Instruction Fuzzy Hash: B1911063A18581A6EB11CF29D8517FD2720FF95788F481031EE4E8B78AEE3AD606C344
                                                                                                                Function 00007FF6E997B534 Relevance: .2, Instructions: 181COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                • Instruction ID: dd85ac6c8c9e4962f09596ca6ace54927257501731fb850710570f987abdc26f
                                                                                                                • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                • Instruction Fuzzy Hash: 58610123B181D159EB01CF75C5006FD7BA1AB19788B4A8032DF9A97A87DE3EE106CB15
                                                                                                                Function 00007FF6E99821D0 Relevance: .1, Instructions: 137COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                • Instruction ID: 0b00fea54c19abe3bec77570f5c8b3e7a863bce36c46426c6ae2f987aead9f5a
                                                                                                                • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                • Instruction Fuzzy Hash: 03512473B181A14BE72C8F28D0187BD3751FB94B98F484139DB498768ADE3EE541CB05
                                                                                                                Function 00007FF6E9982AB0 Relevance: .1, Instructions: 112COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                • Instruction ID: 05f23be52acbfd3b70b5392f6674c205ab1b2eea2fba6f9aa0efd69fff0f5100
                                                                                                                • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                • Instruction Fuzzy Hash: C431D0B3A086814BE71CCE1ADA5137E6B91BB45380F088139DB4AC3B83DE3DE041CB11
                                                                                                                Function 00007FF6E997DC70 Relevance: .0, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                • Instruction ID: 1835d2daa930af3434867d5f7f8374454b8118b8ffc3cc2784f19b6037a4618f
                                                                                                                • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                • Instruction Fuzzy Hash: C2F0FE63F1C20342FB680828581A3391056AF11310F5C8835D25FC72C7EEAFE881110F
                                                                                                                Function 00007FF6E9993354 Relevance: .0, Instructions: 2COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                • Instruction ID: 956fb34ed1754f3434947ed65cdaa0c82a839f70a697787cf458134802321bd7
                                                                                                                • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                • Instruction Fuzzy Hash: 4FA00273D4CC43E4EA448F15E86A2B02338FF50300B984031F41EC10A6EF7EA401C32A
                                                                                                                Function 00007FF6E996D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                                                • API String ID: 3668304517-727060406
                                                                                                                • Opcode ID: b68ecd6b6244c16b65fc59ad38e25c14473093d62c915de36f9f2bb886cd508e
                                                                                                                • Instruction ID: 108b4bad84ab4d387c6ec90f2e928fda49f7fdf723e4ba921c6db99c1499c840
                                                                                                                • Opcode Fuzzy Hash: b68ecd6b6244c16b65fc59ad38e25c14473093d62c915de36f9f2bb886cd508e
                                                                                                                • Instruction Fuzzy Hash: 8D41F836B16B0199EB008F65D8443E833B5EF08798F480136DA5C83B6AEE7ED555C389
                                                                                                                Function 00007FF6E9992A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                • API String ID: 2565136772-3242537097
                                                                                                                • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                • Instruction ID: bc26b6b63bb2a5eab47cc9af298d9f35ea0ae387fcf4582e3a1d4511d72c0e60
                                                                                                                • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                • Instruction Fuzzy Hash: 4E212A67E0AB0385FE549F52EC553B823A0EF58780F4C0035C91E866A3DE7EE495830A
                                                                                                                Function 00007FF6E9976A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                                                • API String ID: 4097890229-4048004291
                                                                                                                • Opcode ID: 5ee070c7a9a2d28e62e9f515ed83f853671db38dc2e7408bbfbfb4c76bf99ee7
                                                                                                                • Instruction ID: ab2b8867a9c67793b327eb3a7fca72583586779c2403bef285b6afd5c711651e
                                                                                                                • Opcode Fuzzy Hash: 5ee070c7a9a2d28e62e9f515ed83f853671db38dc2e7408bbfbfb4c76bf99ee7
                                                                                                                • Instruction Fuzzy Hash: 3812BD23B18A4284EF10CF69D4442AD6371EF81B88F584135DB5D87AEADF3EE549C34A
                                                                                                                Function 00007FF6E998A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                                                • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                • API String ID: 431506467-1315819833
                                                                                                                • Opcode ID: e06248dbc4aeee0b93656e9211be1d96d36a322bc908ac185a645397fe30106c
                                                                                                                • Instruction ID: d65fd59a7303f71086fcfdf4d929eba8d5e172ddc8d9e0021d47d7be5d314006
                                                                                                                • Opcode Fuzzy Hash: e06248dbc4aeee0b93656e9211be1d96d36a322bc908ac185a645397fe30106c
                                                                                                                • Instruction Fuzzy Hash: 11B1D063F1974299FB108FA5D4443BC2372EF84794F484235DA1CAAADADE3EE446C309
                                                                                                                Function 00007FF6E9986E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                                                • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                • API String ID: 2868844859-1533471033
                                                                                                                • Opcode ID: 11aacd67445855d745a7f015c66ec02737dd5eaa18f827b11f87478fd2bdef61
                                                                                                                • Instruction ID: 188193528de6fe8184362a29e26570f32fa1aa31954fa0c2833df7666101ac59
                                                                                                                • Opcode Fuzzy Hash: 11aacd67445855d745a7f015c66ec02737dd5eaa18f827b11f87478fd2bdef61
                                                                                                                • Instruction Fuzzy Hash: F9819D63F18A4299FB14DFA5D8413ED2371AF44788F480135CE1D97A9BEE3AD506C34A
                                                                                                                Function 00007FF6E999E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                • API String ID: 3215553584-2617248754
                                                                                                                • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                • Instruction ID: bb54fc6cf0b7198537c6662f5d82708f3d52391aa75503c0f3715bceb0939bab
                                                                                                                • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                • Instruction Fuzzy Hash: FC41CE33A0AB4589E704CF65E8417AD33A4EF18398F084136EE4C87B96EE3ED025C349
                                                                                                                Function 00007FF6E998F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                                                • String ID: STATIC
                                                                                                                • API String ID: 2845197485-1882779555
                                                                                                                • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                • Instruction ID: e073d80798e7b5ea7c215367034a1c7ff3f2d9e19c4681dfd8a803a338859c47
                                                                                                                • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                • Instruction Fuzzy Hash: 1C31C323B0864246FA749F62E9147B963A1BF88BC0F081035DD4E87B57DE3EE8468785
                                                                                                                Function 00007FF6E998AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemTextWindow
                                                                                                                • String ID: LICENSEDLG
                                                                                                                • API String ID: 2478532303-2177901306
                                                                                                                • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                • Instruction ID: 034361b68614648ac9f1887f084ea5e54d410436a350d6cde11b6359b354bc0c
                                                                                                                • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                • Instruction Fuzzy Hash: 1C418463B1865282F7648F62E8547792361AF84B80F0C4439DD0E8BB97CF3EE945830E
                                                                                                                Function 00007FF6E997B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                • API String ID: 2915667086-2207617598
                                                                                                                • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                                                • Instruction ID: 13cdb6039fbbbc11d95b7e828b01b6f28b3a5f6f5aed1d9d25ba19935ad4cd8d
                                                                                                                • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                                                • Instruction Fuzzy Hash: B7313732E09B0280FA18AF16E95437527A0FF48B90F0C5135C85E877A7EE7EE581830E
                                                                                                                Function 00007FF6E99887D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: $
                                                                                                                • API String ID: 3668304517-227171996
                                                                                                                • Opcode ID: f70b963fbcba7fec90bf2027ad10dc1b417ed30690d90250c66aca16dc2c6d1f
                                                                                                                • Instruction ID: 0385b9e2eabb4a94c969b6a179c4c76af5c057d01ad0987a4ae1008c67701653
                                                                                                                • Opcode Fuzzy Hash: f70b963fbcba7fec90bf2027ad10dc1b417ed30690d90250c66aca16dc2c6d1f
                                                                                                                • Instruction Fuzzy Hash: E6F1D063F1464281EF289F66D4482FC2361AF44B98F485635CA2D937DADF7EE080C35A
                                                                                                                Function 00007FF6E99957EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                • String ID: csm$csm$csm
                                                                                                                • API String ID: 2940173790-393685449
                                                                                                                • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                • Instruction ID: dd740dfe0674fd0dedd2fbc511d47a87c1024b2f4a2160dec5af0f94d0d77748
                                                                                                                • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                • Instruction Fuzzy Hash: 74E18C739086828EEB209F29D4803AE7BA0FF45758F184135DE8D87796DF3AE485C706
                                                                                                                Function 00007FF6E9974F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocClearStringVariant
                                                                                                                • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                • API String ID: 1959693985-3505469590
                                                                                                                • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                • Instruction ID: e239674148916b3b86ed385d48bb686a5e75447bbdf48d09cd3fde563c0ee9a7
                                                                                                                • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                • Instruction Fuzzy Hash: ED713C77A14A4585EB20DF26D8806AD77B4FF88B98B085132DE4E83BA5CF3ED544C345
                                                                                                                Function 00007FF6E99972EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6E99974F3,?,?,?,00007FF6E999525E,?,?,?,00007FF6E9995219), ref: 00007FF6E9997371
                                                                                                                • GetLastError.KERNEL32(?,?,00000000,00007FF6E99974F3,?,?,?,00007FF6E999525E,?,?,?,00007FF6E9995219), ref: 00007FF6E999737F
                                                                                                                • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6E99974F3,?,?,?,00007FF6E999525E,?,?,?,00007FF6E9995219), ref: 00007FF6E99973A9
                                                                                                                • FreeLibrary.KERNEL32(?,?,00000000,00007FF6E99974F3,?,?,?,00007FF6E999525E,?,?,?,00007FF6E9995219), ref: 00007FF6E99973EF
                                                                                                                • GetProcAddress.KERNEL32(?,?,00000000,00007FF6E99974F3,?,?,?,00007FF6E999525E,?,?,?,00007FF6E9995219), ref: 00007FF6E99973FB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                • String ID: api-ms-
                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                • Instruction ID: a4579a134e52ca5b84d63afff28c3fb7894e9abc7e9edec541e7ad9aa4ef809d
                                                                                                                • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                • Instruction Fuzzy Hash: 3631E323A1E64285EE11AF06A8007B923D4FF48BA0F1D4535DD1D8B792DF3DE080C72A
                                                                                                                Function 00007FF6E9991604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(?,?,?,00007FF6E9991573,?,?,?,00007FF6E999192A), ref: 00007FF6E999162B
                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00007FF6E9991573,?,?,?,00007FF6E999192A), ref: 00007FF6E9991648
                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00007FF6E9991573,?,?,?,00007FF6E999192A), ref: 00007FF6E9991664
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                • API String ID: 667068680-1718035505
                                                                                                                • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                • Instruction ID: b6f2b542f1de7e3d3403ff03f2beae7bde317b7fe2f45274f2274a0bde5d216f
                                                                                                                • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                • Instruction Fuzzy Hash: 3E112D23E1AB4386FE758F02A9403B413A5BF08794F4D5435C81DCA397EEBEB485861A
                                                                                                                Function 00007FF6E997ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6E99751A4: GetVersionExW.KERNEL32 ref: 00007FF6E99751D5
                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997ED8C
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997ED98
                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997EDA8
                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997EDB6
                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997EDC4
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9965AB4), ref: 00007FF6E997EE05
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                • String ID:
                                                                                                                • API String ID: 2092733347-0
                                                                                                                • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                • Instruction ID: e44bd263e3b6cc4801a93a890c47060370a8126141ca50e8f6b7abd001335655
                                                                                                                • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                • Instruction Fuzzy Hash: 175155B3B106518AEB04CFB9D4402AC37B1FB48B88B64403ADE1DA7B59EF39E556C704
                                                                                                                Function 00007FF6E997F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                • String ID:
                                                                                                                • API String ID: 2092733347-0
                                                                                                                • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                • Instruction ID: 6afb91cd7cb5568531796b94c78b700b3964e541f741f9f3a440216481fee579
                                                                                                                • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                • Instruction Fuzzy Hash: 4E311863F10A5189EB00CFB5D8802FC3770FF08758B58502AEE1DA7A59EE78D895C715
                                                                                                                Function 00007FF6E9977918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: .rar$exe$rar$sfx
                                                                                                                • API String ID: 3668304517-630704357
                                                                                                                • Opcode ID: 9b8f9fc42827f07993982fd9f343e807743a6e075335c2f478db097a4822f4c0
                                                                                                                • Instruction ID: c51d5cb8268856e840cbfba1fb989d4cd912bf80e86ba94eb12021bbaf769264
                                                                                                                • Opcode Fuzzy Hash: 9b8f9fc42827f07993982fd9f343e807743a6e075335c2f478db097a4822f4c0
                                                                                                                • Instruction Fuzzy Hash: BDA19D23A14A0680EA049F25D8853BC2361EF54BA8F5C1231DD1D877EBDF7EE585C38A
                                                                                                                Function 00007FF6E9995CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: abort$CallEncodePointerTranslator
                                                                                                                • String ID: MOC$RCC
                                                                                                                • API String ID: 2889003569-2084237596
                                                                                                                • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                • Instruction ID: 1e788cc89f5a7b421e513002fa6c44bc12a4e5ffe8ccb72ca4027aacebee0eea
                                                                                                                • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                • Instruction Fuzzy Hash: 1991AF73A08B918EE711CF65E4803AD7BA0FB04788F184129EE4D97B56DF39D195C706
                                                                                                                Function 00007FF6E9994F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                • String ID: csm$f
                                                                                                                • API String ID: 2395640692-629598281
                                                                                                                • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                • Instruction ID: 4056e29f6ddcd9dc62ab369d7bba688c6972ed11f2e2ec7681a3599e8d7eb632
                                                                                                                • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                • Instruction Fuzzy Hash: 61519033A196028ADB24CF15E444B2E2795FF45B98F588030DE1E8774ADF7AE881C74A
                                                                                                                Function 00007FF6E996CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                                                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                • API String ID: 2102711378-639343689
                                                                                                                • Opcode ID: 56eb12e04902f8cdd3d9974dd122819d94118814fcd2e4f07e3976d6fdbba36c
                                                                                                                • Instruction ID: 0765795c0409916d3436c5dda3ec1683ca692ef88c110a55e30b0a066c4b33dd
                                                                                                                • Opcode Fuzzy Hash: 56eb12e04902f8cdd3d9974dd122819d94118814fcd2e4f07e3976d6fdbba36c
                                                                                                                • Instruction Fuzzy Hash: 1A51BE63F2874285FB10DFA5D8413BD23B0AF957A4F080135DE2D97697DE3EA485C28A
                                                                                                                Function 00007FF6E9987B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Show$Rect
                                                                                                                • String ID: RarHtmlClassName
                                                                                                                • API String ID: 2396740005-1658105358
                                                                                                                • Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                • Instruction ID: b6db6a76e4c46bd41c1cbbf9369343a5ba8618f923b340f2dbec1809ee031090
                                                                                                                • Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                • Instruction Fuzzy Hash: 1E51A423A09B418AEB34DF21E45537AA7A1FF85780F084435DE4E87B56DF3EE4458705
                                                                                                                Function 00007FF6E998FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: sfxcmd$sfxpar
                                                                                                                • API String ID: 3540648995-3493335439
                                                                                                                • Opcode ID: 3f2466e4a4d0866a754e80d9881e3536653d903d5d2b18ad3a3031b9ab7b11ad
                                                                                                                • Instruction ID: d83c838ad391440a19a77afa7cc140e433006370c2792dd00f56799bea23e238
                                                                                                                • Opcode Fuzzy Hash: 3f2466e4a4d0866a754e80d9881e3536653d903d5d2b18ad3a3031b9ab7b11ad
                                                                                                                • Instruction Fuzzy Hash: EB315D73E14A0585EB148F65E4852AC2371EF48B98F181135DF5D97AAADF39D081C289
                                                                                                                Function 00007FF6E998FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                • API String ID: 0-56093855
                                                                                                                • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                • Instruction ID: a8a60c15c9fac1f941cdd6a836d32a25e057d90718b68ee73cc2af035d17a8f4
                                                                                                                • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                • Instruction Fuzzy Hash: CB21F422A09A4791FB248F15EC4437423A1EF4AB88F5C103AD94DCB362DE3EE4D5834A
                                                                                                                Function 00007FF6E999BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                • Instruction ID: aa5bccdfd406e88a4d650dbb0f347e8a477ca695a23fe2d744ce998f12de194f
                                                                                                                • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                • Instruction Fuzzy Hash: FBF04F33E19A4285EF888F11E8443B963A0EF88794F4C5035D95F86666EE7EE484C705
                                                                                                                Function 00007FF6E99A45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID:
                                                                                                                • API String ID: 3215553584-0
                                                                                                                • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                • Instruction ID: f712ba17cf563549dc0552280a40414067b5c0eb0bc575402366bf4d8ed3d69e
                                                                                                                • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                • Instruction Fuzzy Hash: 6481ED33E1865289F7109F2598807BD27A5FF45B98F094135DD0E97B96CFBEA841C30A
                                                                                                                Function 00007FF6E9973AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 2398171386-0
                                                                                                                • Opcode ID: f75a2e2a3a1635b10ac7663bc56c733a9042ffa6b3fef8e66de610f6d5e077c2
                                                                                                                • Instruction ID: cf85b416f46099240f800e880f6e2d6e6a7308d612e04bf5b2f264a4f07aae67
                                                                                                                • Opcode Fuzzy Hash: f75a2e2a3a1635b10ac7663bc56c733a9042ffa6b3fef8e66de610f6d5e077c2
                                                                                                                • Instruction Fuzzy Hash: 9451D163F04A0299FB509F75E8413BD2371EF447A8F084635EE1D866D6DE3E94258309
                                                                                                                Function 00007FF6E99A3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                • String ID:
                                                                                                                • API String ID: 3659116390-0
                                                                                                                • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                • Instruction ID: c712a9378cf2ef7249a0e02c32b633a085f021faacc8d43e2cd9d58402da1228
                                                                                                                • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                • Instruction Fuzzy Hash: CC51BE33E18A5189E710CF65D8403AC3BB1FB54798F088135DE4A97B9ADF7AD185C709
                                                                                                                Function 00007FF6E9991E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                                                • String ID:
                                                                                                                • API String ID: 262959230-0
                                                                                                                • Opcode ID: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
                                                                                                                • Instruction ID: b64b02f9bab5ec618f77bdb5a6efb394f04fb422478643e300e5f5905e1020b3
                                                                                                                • Opcode Fuzzy Hash: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
                                                                                                                • Instruction Fuzzy Hash: 4541A533A096458EEB249F6294403B92291FF04BE4F1C4634EA6DC77D6DF3EE1418305
                                                                                                                Function 00007FF6E999F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc
                                                                                                                • String ID:
                                                                                                                • API String ID: 190572456-0
                                                                                                                • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                • Instruction ID: 075f9ab845ddaad2449ce930087d9c8d47422969e9f614b1fb2d2a584a298599
                                                                                                                • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                • Instruction Fuzzy Hash: 64411963B09A4285FA158F13A8047B5A395BF18BD0F0D4535DD1DCF79AEE3EE880834A
                                                                                                                Function 00007FF6E99A56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _set_statfp
                                                                                                                • String ID:
                                                                                                                • API String ID: 1156100317-0
                                                                                                                • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                • Instruction ID: 558d24241288c0273b9e8b835ac4e1e141063a61c0e3a1117124ce1f3cc3ee38
                                                                                                                • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                • Instruction Fuzzy Hash: 8411BF77F1CA0791F6540924E54237D1185EF543A0E5C4230EA7EDA6D7CEEEAC40424F
                                                                                                                Function 00007FF6E998FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 3621893840-0
                                                                                                                • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                • Instruction ID: ae0ac25130fbff172d1ebcbcfb0f10dd977027c584758655a005a1f55435e413
                                                                                                                • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                • Instruction Fuzzy Hash: 57F04F23F2844682F7208F70E898B762211FFA4B05F481030E54F85896DE2DD599C705
                                                                                                                Function 00007FF6E999625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __except_validate_context_recordabort
                                                                                                                • String ID: csm$csm
                                                                                                                • API String ID: 746414643-3733052814
                                                                                                                • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                • Instruction ID: a0df875aad1dc39cf140a58ecfa7a4754453b0de636fe86b5f42a8c8daecba3d
                                                                                                                • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                • Instruction Fuzzy Hash: F771A1736086918ADB618F65D05077D7BA0EF05B89F188136DE8C87B8ACF3ED491C74A
                                                                                                                Function 00007FF6E99980F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID: $*
                                                                                                                • API String ID: 3215553584-3982473090
                                                                                                                • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                • Instruction ID: 5d63b0434f5c6a4d7830f0032f1c2e7fd318a5804cd7aa9d0b2482284c1055b8
                                                                                                                • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                • Instruction Fuzzy Hash: 0D51247391C6428EE7658E2A84453BC37B1EF15B59F1C113DD64AC61DACF2EE481C60E
                                                                                                                Function 00007FF6E99A1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$StringType
                                                                                                                • String ID: $%s
                                                                                                                • API String ID: 3586891840-3791308623
                                                                                                                • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                • Instruction ID: 589fb05702d63cbf7a577048cd07ed2e2071b33b1bbbcf4e43dc69cfa334260a
                                                                                                                • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                • Instruction Fuzzy Hash: 96415D23E15B818AFB618F2AD8003A92291FF44BA8F480635DE1D877D6DF7DE4418309
                                                                                                                Function 00007FF6E99966A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                • String ID: csm
                                                                                                                • API String ID: 2466640111-1018135373
                                                                                                                • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                • Instruction ID: af11a71e0f9990b08b3b3591b3ce678be30be907a00325bd357b0a73a75c61f7
                                                                                                                • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                • Instruction Fuzzy Hash: 4C514F736197418BEA20AF16E04036E77A4FB89B94F580534EF8D87B56CF39E491CB06
                                                                                                                Function 00007FF6E99A4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                • String ID: U
                                                                                                                • API String ID: 2456169464-4171548499
                                                                                                                • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                • Instruction ID: c8344631f5714f6475ede7e453da36f06a6555024430cfeb87e9f587ffb9ef98
                                                                                                                • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                • Instruction Fuzzy Hash: 2641B033A19A8182EB208F25E8443BA77A0FB88794F484131EE4DC7799DFBDD441C745
                                                                                                                Function 00007FF6E99890B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ObjectRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 1429681911-3916222277
                                                                                                                • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                • Instruction ID: 6427594f6908fbf46c42462a393ce3fdac9b1a121148f111599874ca3c94b8d1
                                                                                                                • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                • Instruction Fuzzy Hash: 5231273670874286EA04DF62BC1872AB7A0FB89FD1F444435ED4B87B55CE3DE8498B45
                                                                                                                Function 00007FF6E997E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6E998317F,?,?,00001000,00007FF6E996E51D), ref: 00007FF6E997E8BB
                                                                                                                • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6E998317F,?,?,00001000,00007FF6E996E51D), ref: 00007FF6E997E8CB
                                                                                                                • CreateEventW.KERNEL32(?,?,?,00007FF6E998317F,?,?,00001000,00007FF6E996E51D), ref: 00007FF6E997E8E4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                • String ID: Thread pool initialization failed.
                                                                                                                • API String ID: 3340455307-2182114853
                                                                                                                • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                • Instruction ID: d688b4d1a9a0e282dca2e47d5f939b653d57a2372785f68c8f790c4d8f5cc903
                                                                                                                • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                • Instruction Fuzzy Hash: 0F21A133E1960186F7508F25E4443B936A2EF94B09F1C8034CA098A296DF7F9895C78A
                                                                                                                Function 00007FF6E99885E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDeviceRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 127614599-3916222277
                                                                                                                • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                • Instruction ID: fbc66f276a180d40c267f8b5387b5ae86c389ea55a052a2035b3051e7638ba8b
                                                                                                                • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                • Instruction Fuzzy Hash: C2E0C222B0864182FF085BF6B98923A6261EF4CBD0F198035EA1F8B795CE3DCCC44304
                                                                                                                Function 00007FF6E996D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 1137671866-0
                                                                                                                • Opcode ID: 580eb8bd8f76e11621dd22c3f902231a9c49c84aaab9ae48d1a37248dc949a6d
                                                                                                                • Instruction ID: 121b66ba22d960279e85ff3c42bc57283041b33882510bcbb6688471a48c2618
                                                                                                                • Opcode Fuzzy Hash: 580eb8bd8f76e11621dd22c3f902231a9c49c84aaab9ae48d1a37248dc949a6d
                                                                                                                • Instruction Fuzzy Hash: CDA1C263A28B8281EA10DF65E8453BD6361FF85784F485131EA5C83AEBDF3EE544C349
                                                                                                                Function 00007FF6E9980548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 1452528299-0
                                                                                                                • Opcode ID: ec58c6949f9e474dd952ff72457f5410cce056d9892a96e8c34aae8edf97276e
                                                                                                                • Instruction ID: c6b7d2f3456012fb065ef5dc5f91f568aa171434b5420c39ccdf386400634ce4
                                                                                                                • Opcode Fuzzy Hash: ec58c6949f9e474dd952ff72457f5410cce056d9892a96e8c34aae8edf97276e
                                                                                                                • Instruction Fuzzy Hash: AD519CA3E14A4299FB149F65D4453EC2321EF84B98F484236DA1C97BDBEE2EE140C349
                                                                                                                Function 00007FF6E9989D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 1077098981-0
                                                                                                                • Opcode ID: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
                                                                                                                • Instruction ID: 98a4381f29703f461d0298afb2dbf0b8fb091b3330087c0d704dd4bd9ce8622e
                                                                                                                • Opcode Fuzzy Hash: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
                                                                                                                • Instruction Fuzzy Hash: 0E515033A18B4286E754CF61E8443AE7764FF84B84F541039EA4E97A59DF3ED804CB45
                                                                                                                Function 00007FF6E999DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                • String ID:
                                                                                                                • API String ID: 4141327611-0
                                                                                                                • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                • Instruction ID: 33f9cc3e41c5bee617dfb8b0dcc1176285fd8236222f7ff45ee3f6380d1b655f
                                                                                                                • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                • Instruction Fuzzy Hash: B6417433A0C7424AFB669F55D18037962A0EF90B90F1C4131EA5D87AD7EF6FD841870A
                                                                                                                Function 00007FF6E9973980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                                                • String ID:
                                                                                                                • API String ID: 3823481717-0
                                                                                                                • Opcode ID: c1c548311496109c7c973564b1f0111f496352b18342627c01e39ee1156b1353
                                                                                                                • Instruction ID: 144ff371dcf90aadc6b63e6d6585b33e5cab9c7d440b70450509879d42f63f27
                                                                                                                • Opcode Fuzzy Hash: c1c548311496109c7c973564b1f0111f496352b18342627c01e39ee1156b1353
                                                                                                                • Instruction Fuzzy Hash: 2541B263F14B5184FB00CF79E8462AC3371BF44BA4B085231DE5D96ADADF7AD051C209
                                                                                                                Function 00007FF6E99A0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6E999C45B), ref: 00007FF6E99A0B91
                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6E999C45B), ref: 00007FF6E99A0BF3
                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6E999C45B), ref: 00007FF6E99A0C2D
                                                                                                                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6E999C45B), ref: 00007FF6E99A0C57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                • String ID:
                                                                                                                • API String ID: 1557788787-0
                                                                                                                • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                • Instruction ID: e2ddb7c9ada53b24c2b27d6b16337809ea96031a00a01bc3c3794a053cca8e31
                                                                                                                • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                • Instruction Fuzzy Hash: A121DB72F19B5181EA249F126440229B7A4FF59FD0B0C4134DE9EA3BD6DF7EE4528309
                                                                                                                Function 00007FF6E999D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$abort
                                                                                                                • String ID:
                                                                                                                • API String ID: 1447195878-0
                                                                                                                • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                • Instruction ID: 07c7231f9c2ae052e37fbbcba33dbe5bc1b8c28e38e618ae0e273abb119c7235
                                                                                                                • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                • Instruction Fuzzy Hash: 43016D23E097064AFB5A6F25A6953B812619F587D0F1C0438E91E877E7ED2EF840420A
                                                                                                                Function 00007FF6E9988590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDevice$Release
                                                                                                                • String ID:
                                                                                                                • API String ID: 1035833867-0
                                                                                                                • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                • Instruction ID: 4fa570234dfcb198d4de3c875b0ca7d5cd1127de0b769cc28df6bbbb026f96e4
                                                                                                                • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                • Instruction Fuzzy Hash: E9E01262F0970282FF185FB26C5933621A0AF48742F0C4439D81FCB352DE3EA885C719
                                                                                                                Function 00007FF6E996E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                • String ID: DXGIDebug.dll
                                                                                                                • API String ID: 3668304517-540382549
                                                                                                                • Opcode ID: a08899e38426230943dcdae29aa39143af9d13bf0e4c208fbdbfd644d4e58482
                                                                                                                • Instruction ID: b8415b59f9f991d940d28170d6dcc0c9d57289022e595d7cb46dafd9c79c9c98
                                                                                                                • Opcode Fuzzy Hash: a08899e38426230943dcdae29aa39143af9d13bf0e4c208fbdbfd644d4e58482
                                                                                                                • Instruction Fuzzy Hash: 10719C73A14B8186EB14CF65E4443ADB3A4FF54794F084226DBAC47B9ADF79E061C348
                                                                                                                Function 00007FF6E999E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                • String ID: e+000$gfff
                                                                                                                • API String ID: 3215553584-3030954782
                                                                                                                • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                • Instruction ID: 2b593ed66d1311b25f6a9259fcc9d9b31a3b5d9414290257fc4b541fde230889
                                                                                                                • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                • Instruction Fuzzy Hash: 4851F363B187C18AE7258F79994136D6A91EF81B90F0CD231DA9CC7BD6CE2ED444C706
                                                                                                                Function 00007FF6E9979408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                • String ID: SIZE
                                                                                                                • API String ID: 449872665-3243624926
                                                                                                                • Opcode ID: 3190869bd73ecd60fb0f53392e682d412e6871c3627f6ccf45194b60311ac42a
                                                                                                                • Instruction ID: 86fa4832baac2d2c2abad1368486d2b7507ec560f427b208ce2b8da3a05f5faf
                                                                                                                • Opcode Fuzzy Hash: 3190869bd73ecd60fb0f53392e682d412e6871c3627f6ccf45194b60311ac42a
                                                                                                                • Instruction Fuzzy Hash: 4C41E363A2878285EE10DF28E4413BD6360EF857A4F584231EA9D866D7EE3ED580C709
                                                                                                                Function 00007FF6E999C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                • String ID: C:\Users\user\Desktop\442.docx.exe
                                                                                                                • API String ID: 3307058713-4147804102
                                                                                                                • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                • Instruction ID: 3882e8d9e53405b351baa89742f6bb95991995160109f7d1aba737eafb094f1a
                                                                                                                • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                • Instruction Fuzzy Hash: D8419033A08B528AEB15DF25A8412BC77A4FF447D4B484031F94D87B86EE3EE441C35A
                                                                                                                Function 00007FF6E9989B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemText$DialogWindow
                                                                                                                • String ID: ASKNEXTVOL
                                                                                                                • API String ID: 445417207-3402441367
                                                                                                                • Opcode ID: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
                                                                                                                • Instruction ID: 49371f8b3dbd1c57f66d0914b4e8efc4ca52966a3d80e69f599b73223daffad7
                                                                                                                • Opcode Fuzzy Hash: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
                                                                                                                • Instruction Fuzzy Hash: 4A418723A1864181FA249F16D9543B923A1EF85BC4F1C4039DE4E9B797DE3FE441C34A
                                                                                                                Function 00007FF6E9979638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide_snwprintf
                                                                                                                • String ID: $%s$@%s
                                                                                                                • API String ID: 2650857296-834177443
                                                                                                                • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                • Instruction ID: 397a71c17c91124df3f781bcd008871c8e83550b8c8ba67e3b11ffa7b8449f8e
                                                                                                                • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                • Instruction Fuzzy Hash: 7D31E073B19A4699EE108F26E4403E923A0FF547C4F480032EE0D4B796EE3EE505C705
                                                                                                                Function 00007FF6E999EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileHandleType
                                                                                                                • String ID: @
                                                                                                                • API String ID: 3000768030-2766056989
                                                                                                                • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                • Instruction ID: 3d6ae26ff6d14ff8f5b40cc6eb3b9c957350e4ca1edfb29289ce529305511ec8
                                                                                                                • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                • Instruction Fuzzy Hash: 87219323E08A8245EB608F7694903792655EF45774F2C4335D66F877D5CE3ED881C30A
                                                                                                                Function 00007FF6E9994078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E9991D3E), ref: 00007FF6E99940BC
                                                                                                                • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E9991D3E), ref: 00007FF6E9994102
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                • String ID: csm
                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                • Instruction ID: 4c950e6dafea189197207d7c6934a71f00312a08161958e67f8ec59c655b3359
                                                                                                                • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                • Instruction Fuzzy Hash: 0B112B32A18B8182EB218F15E84026AB7E1FB88B94F1C4231DE8D47765DF3DD565C705
                                                                                                                Function 00007FF6E997EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E997E95F,?,?,?,00007FF6E997463A,?,?,?), ref: 00007FF6E997EA63
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E997E95F,?,?,?,00007FF6E997463A,?,?,?), ref: 00007FF6E997EA6E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastObjectSingleWait
                                                                                                                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                • API String ID: 1211598281-2248577382
                                                                                                                • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                • Instruction ID: 5dc29a1d74811edf6d073cb739052e8ba2776443635d60df6f109f47a5b24dee
                                                                                                                • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                • Instruction Fuzzy Hash: 27E01267E1980241FA005F259C417B82610BF607B0F980331D03EC15F3AE6E9545C30B
                                                                                                                Function 00007FF6E997A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1740331579.00007FF6E9961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E9960000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1740236906.00007FF6E9960000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740534134.00007FF6E99A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740678516.00007FF6E99C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1740953018.00007FF6E99CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6e9960000_442.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FindHandleModuleResource
                                                                                                                • String ID: RTL
                                                                                                                • API String ID: 3537982541-834975271
                                                                                                                • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                • Instruction ID: f15de1f9ae71c41d1989d07f86dc03ae2b068faf646e052812489db6881d507a
                                                                                                                • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                • Instruction Fuzzy Hash: CDD05B62F0960181FF194F7254453741250DF1CB45F4C4038C81D46392EE6ED0D4C75A

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:1%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:5.8%
                                                                                                                Total number of Nodes:1056
                                                                                                                Total number of Limit Nodes:13
                                                                                                                execution_graph 6212 60049640 6213 60049852 _errno 6212->6213 6214 6004966a 6212->6214 6215 60049750 QueryPerformanceFrequency 6214->6215 6216 60049710 GetSystemTimeAsFileTime 6214->6216 6217 60049818 GetCurrentProcess GetProcessTimes 6214->6217 6218 60049678 GetCurrentThread GetThreadTimes 6214->6218 6221 600496b2 6214->6221 6215->6213 6219 60049768 QueryPerformanceCounter 6215->6219 6216->6221 6217->6213 6217->6221 6218->6213 6218->6221 6219->6213 6219->6221 6220 60049702 6221->6220 6222 60049957 _errno 6221->6222 6223 6004989a 6221->6223 6224 6004990b 6222->6224 6225 60049938 6223->6225 6234 600498a2 6223->6234 6226 60049917 6224->6226 6230 60049a10 _errno 6224->6230 6231 60049991 FileTimeToSystemTime 6224->6231 6225->6224 6228 60049944 6225->6228 6227 60049be2 _errno 6243 60049bb3 6227->6243 6228->6227 6229 60049a7a 6228->6229 6232 60049a82 GetSystemTimeAsFileTime 6229->6232 6239 60049aa3 6229->6239 6237 600499f5 6230->6237 6231->6230 6233 600499e5 SetSystemTime 6231->6233 6232->6239 6235 60049a23 _errno 6233->6235 6233->6237 6245 60049a40 6234->6245 6235->6237 6240 60049b15 6239->6240 6239->6243 6257 60048010 6239->6257 6241 60049ba7 _errno 6240->6241 6242 60049b21 GetSystemTimeAsFileTime 6240->6242 6240->6243 6241->6243 6244 60049b5d 6242->6244 6244->6241 6246 60049be2 _errno 6245->6246 6247 60049a6b 6245->6247 6253 60049bb3 6246->6253 6247->6246 6248 60049a7a 6247->6248 6249 60049a82 GetSystemTimeAsFileTime 6248->6249 6250 60049aa3 6248->6250 6249->6250 6251 60048010 103 API calls 6250->6251 6252 60049b15 6250->6252 6250->6253 6251->6250 6252->6253 6254 60049ba7 _errno 6252->6254 6255 60049b21 GetSystemTimeAsFileTime 6252->6255 6253->6224 6254->6253 6256 60049b5d 6255->6256 6256->6254 6258 60046ad0 13 API calls 6257->6258 6259 6004801e TlsGetValue 6258->6259 6260 60048088 6259->6260 6264 60048035 6259->6264 6321 60046b90 6260->6321 6262 60048060 6266 60047e30 100 API calls 6262->6266 6263 60048039 6275 60047e30 6263->6275 6264->6262 6264->6263 6268 60048065 Sleep 6266->6268 6267 6004803e 6269 60048045 6267->6269 6270 60048098 Sleep 6267->6270 6271 60047e30 100 API calls 6268->6271 6273 60047e30 100 API calls 6269->6273 6270->6269 6272 6004807a 6271->6272 6272->6239 6274 60048056 6273->6274 6274->6239 6276 60046ad0 13 API calls 6275->6276 6277 60047e3a TlsGetValue 6276->6277 6278 60047ea0 6277->6278 6282 60047e51 6277->6282 6280 60046b90 39 API calls 6278->6280 6279 60047e60 6279->6267 6280->6282 6281 60047e92 6283 5ff9f7e0 4 API calls 6281->6283 6282->6279 6282->6281 6284 60047eb1 6282->6284 6285 60047e9a 6283->6285 6286 60047ec7 ResetEvent 6284->6286 6287 60047ed1 6284->6287 6285->6267 6286->6287 6288 5ff9f7e0 4 API calls 6287->6288 6289 60047ed9 6288->6289 6337 60047d40 6289->6337 6322 60046850 9 API calls 6321->6322 6325 60046b9c 6322->6325 6323 60046ba6 GetCurrentThreadId CreateEventA 6323->6325 6324 60046ca3 6324->6264 6325->6323 6325->6324 6326 60046bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 6325->6326 6332 60046cad 6325->6332 6327 60046c60 GetThreadPriority TlsSetValue 6326->6327 6328 600f242a abort GetModuleHandleA 6326->6328 6327->6324 6327->6328 6330 600f24a9 6328->6330 6331 600f2479 GetProcAddress GetProcAddress 6328->6331 6329 600466e0 8 API calls 6329->6332 6330->6264 6331->6330 6332->6329 6333 60046ad0 13 API calls 6332->6333 6334 60046cc8 TlsGetValue 6333->6334 6335 60046cdd 6334->6335 6336 60046ce8 6334->6336 6335->6264 6336->6321 6336->6328 6338 60047d49 6337->6338 6400 60047cf0 6338->6400 6341 60047cf0 40 API calls 6342 60047d93 6341->6342 6406 60047bb0 6342->6406 6401 60046ad0 13 API calls 6400->6401 6402 60047cf8 TlsGetValue 6401->6402 6403 60047d30 6402->6403 6404 60047d0d 6402->6404 6405 60046b90 39 API calls 6403->6405 6404->6341 6405->6404 6407 60047bbe 6406->6407 6408 60047bd2 6407->6408 6421 60046cf0 6407->6421 6410 60047bec TlsGetValue 6408->6410 6411 60047bd8 longjmp 6408->6411 6412 60047c01 6410->6412 6413 60047c2d _endthreadex 6410->6413 6411->6410 6415 60047c6d 6412->6415 6416 60047c0a 6412->6416 6414 60047c36 CloseHandle 6413->6414 6417 60047c22 6414->6417 6415->6417 6418 60047c77 CloseHandle 6415->6418 6416->6417 6419 60047c18 CloseHandle 6416->6419 6417->6413 6417->6414 6420 60047c55 TlsSetValue 6417->6420 6418->6417 6419->6417 6420->6413 6422 60046e10 6421->6422 6423 60046cf8 6421->6423 6422->6408 6424 5ff9f7e0 4 API calls 6423->6424 6428 60046d22 6424->6428 6425 60046df1 6425->6408 6428->6425 6429 6004a1f0 6428->6429 6436 6004a500 6428->6436 6445 6004a010 6429->6445 6431 6004a206 6431->6428 6432 6004a202 6432->6431 6433 6004a237 6432->6433 6434 5ff9f7e0 4 API calls 6432->6434 6435 5ff9f7e0 malloc free SetEvent GetCurrentThreadId 6433->6435 6434->6433 6435->6433 6438 6004a511 6436->6438 6437 6004a580 6437->6428 6438->6437 6439 5ff9f7e0 4 API calls 6438->6439 6444 6004a53b 6438->6444 6440 6004a531 6439->6440 6441 5ff9f7e0 4 API calls 6440->6441 6441->6444 6442 5ff9f7e0 malloc free SetEvent GetCurrentThreadId 6442->6444 6444->6442 6483 60045b50 6444->6483 6446 6004a060 6445->6446 6448 6004a01e 6445->6448 6449 60049fb0 6446->6449 6448->6432 6450 60049fc2 6449->6450 6451 60049ff0 6450->6451 6454 60049e70 6450->6454 6451->6448 6453 60049fd7 6453->6448 6455 60049e83 calloc 6454->6455 6456 60049f68 6454->6456 6457 60049ea7 6455->6457 6466 60049f09 6455->6466 6456->6453 6458 60049f20 free 6457->6458 6459 60049ed9 6457->6459 6458->6453 6460 60049f40 6459->6460 6461 60049ef0 6459->6461 6463 5ff9f980 2 API calls 6460->6463 6471 600454a0 6461->6471 6465 60049f4c free 6463->6465 6464 60049f03 6464->6466 6467 5ff9f980 2 API calls 6464->6467 6465->6453 6466->6453 6468 60049f8c 6467->6468 6469 5ff9f980 2 API calls 6468->6469 6470 60049f94 free 6469->6470 6470->6466 6472 600455f0 6471->6472 6473 600454c1 6471->6473 6472->6464 6474 600454ce calloc 6473->6474 6475 60045598 6473->6475 6474->6475 6476 600454ec CreateSemaphoreA CreateSemaphoreA 6474->6476 6475->6464 6477 60045555 6476->6477 6478 600455b7 6476->6478 6479 600455a8 CloseHandle 6477->6479 6480 60045559 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 6477->6480 6481 600455c7 free 6478->6481 6482 600455bb CloseHandle 6478->6482 6479->6478 6480->6475 6481->6464 6482->6481 6484 60045b61 6483->6484 6485 60045b81 6483->6485 6484->6485 6486 60045b90 EnterCriticalSection 6484->6486 6485->6444 6487 60045ba6 6486->6487 6493 60045bd9 6486->6493 6488 60045c50 LeaveCriticalSection 6487->6488 6494 60045900 EnterCriticalSection LeaveCriticalSection 6487->6494 6488->6485 6489 60045c1d LeaveCriticalSection 6489->6488 6491 60045bd1 6492 60045c68 LeaveCriticalSection 6491->6492 6491->6493 6492->6485 6493->6488 6493->6489 6495 60045945 6494->6495 6496 60045958 6494->6496 6495->6491 6501 60045620 6496->6501 6498 60045974 EnterCriticalSection 6499 60045982 LeaveCriticalSection 6498->6499 6500 60045998 6498->6500 6499->6491 6500->6499 6502 60045645 6501->6502 6503 60045850 6501->6503 6542 60047ac0 6502->6542 6506 60045898 WaitForSingleObject 6503->6506 6511 60045700 6503->6511 6506->6511 6507 60045710 6532 60045760 6507->6532 6536 6004571a 6507->6536 6508 6004565a 6508->6503 6508->6511 6515 600456c0 6508->6515 6518 60045752 6508->6518 6534 60045698 ResetEvent 6508->6534 6541 60047e30 91 API calls 6508->6541 6548 5ff9fe90 6508->6548 6509 600457b9 6509->6498 6511->6509 6513 60045900 EnterCriticalSection LeaveCriticalSection 6511->6513 6512 60045820 6517 60047c90 40 API calls 6512->6517 6522 60045945 6513->6522 6523 60045958 6513->6523 6514 6004578f 6514->6511 6533 60047c90 40 API calls 6514->6533 6515->6503 6519 600456d0 WaitForSingleObject 6515->6519 6516 60045743 6516->6511 6516->6518 6520 60047c90 40 API calls 6516->6520 6525 60045825 6517->6525 6518->6511 6531 60047e30 91 API calls 6518->6531 6519->6511 6527 600456f0 6519->6527 6520->6518 6521 60047c90 40 API calls 6521->6532 6522->6498 6526 60045620 91 API calls 6523->6526 6524 600457f8 WaitForSingleObject 6524->6511 6524->6518 6529 6004579c 6525->6529 6530 6004582d WaitForSingleObject 6525->6530 6535 60045974 EnterCriticalSection 6526->6535 6527->6511 6556 60047c90 6527->6556 6528 60047c90 40 API calls 6528->6536 6529->6511 6537 60047e30 91 API calls 6529->6537 6530->6511 6531->6511 6532->6512 6532->6514 6532->6521 6532->6529 6533->6529 6534->6508 6534->6529 6538 60045982 LeaveCriticalSection 6535->6538 6539 60045998 6535->6539 6536->6511 6536->6516 6536->6524 6536->6528 6537->6511 6538->6498 6539->6538 6541->6508 6543 60046ad0 13 API calls 6542->6543 6544 60047ac8 TlsGetValue 6543->6544 6545 6004564e 6544->6545 6546 60047ae8 6544->6546 6545->6507 6545->6508 6547 60046b90 39 API calls 6546->6547 6547->6545 6549 5ff9ff60 WaitForMultipleObjects 6548->6549 6550 5ff9fec6 6548->6550 6551 5ff9ff2d 6549->6551 6552 5ff9fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6550->6552 6555 5ff9fecf 6550->6555 6551->6508 6552->6555 6553 5ff9feec WaitForMultipleObjects 6553->6551 6553->6555 6554 5ff9fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6554->6555 6555->6551 6555->6553 6555->6554 6557 60047ca0 6556->6557 6558 60047c99 6556->6558 6559 60046ad0 13 API calls 6557->6559 6558->6511 6560 60047ca8 TlsGetValue 6559->6560 6561 60047ce0 6560->6561 6562 60047cbd 6560->6562 6563 60046b90 39 API calls 6561->6563 6562->6511 6563->6562 5806 5fc845a0 5807 5fc845cf 5806->5807 5817 5fc8473c 5806->5817 5808 5fc845d5 5807->5808 5811 5fc84690 5807->5811 5825 600edbf0 malloc 5808->5825 5818 600eed7c 5817->5818 5833 5fc813e0 5817->5833 5820 600eed89 5818->5820 5822 5fc813e0 5 API calls 5818->5822 5823 5fc813e0 5 API calls 5820->5823 5824 600eed92 5820->5824 5822->5820 5823->5824 5826 600edc15 5825->5826 5827 600ef9e7 5826->5827 5829 600ef994 fwrite 5826->5829 5828 600ef9f3 abort free 5827->5828 5832 600efa35 5827->5832 5828->5827 5830 600ef9bd fputs 5829->5830 5831 600ef9d2 fputc 5830->5831 5831->5827 5836 60044970 5833->5836 5837 5fc813f7 5836->5837 5838 60044982 _lock 5836->5838 5837->5818 5839 60044994 5838->5839 5840 600449f0 calloc 5838->5840 5842 600449c0 realloc 5839->5842 5843 6004499e _unlock 5839->5843 5840->5839 5841 60044a1a _unlock 5840->5841 5841->5837 5842->5841 5844 600449de 5842->5844 5843->5837 5844->5843 6126 5fc822c0 6127 5fc822e6 6126->6127 6128 5fc82403 memcpy 6127->6128 6129 5fc82447 memcpy 6127->6129 6128->6127 6129->6127 6564 5fc81d00 6565 5fc81d0f 6564->6565 6566 5fc81d31 6565->6566 6568 5fc85ac0 6565->6568 6569 5fc85b35 6568->6569 6570 5fc85ade 6568->6570 6569->6566 6572 5fc85af3 6570->6572 6573 5fc85b7f 6570->6573 6571 5fc85b20 6574 5ff9f7e0 4 API calls 6571->6574 6572->6571 6583 5fc9c8f0 6572->6583 6575 5ff9f7e0 4 API calls 6573->6575 6574->6569 6577 600eef2a 6575->6577 6580 5ff9f7e0 4 API calls 6577->6580 6578 5fc85b1a 6578->6571 6609 5fc9f8b0 6578->6609 6582 600eef3a 6580->6582 6581 5ff9f7e0 4 API calls 6581->6582 6582->6581 6584 5fc9ca2e 6583->6584 6585 5fc9c905 6583->6585 6589 5fd7bfc0 10 API calls 6584->6589 6586 5fc9c95a 6585->6586 6587 5fc9c91c 6585->6587 6588 5fc9cac3 6585->6588 6586->6578 6590 5fc9c928 6587->6590 6591 5fc9ca75 6587->6591 6595 5fd7bfc0 10 API calls 6588->6595 6592 5fc9ca4f 6589->6592 6594 5fc9c992 6590->6594 6600 5fc9c93d 6590->6600 6596 5fd7bfc0 10 API calls 6591->6596 6593 5fd7c340 10 API calls 6592->6593 6593->6586 6598 5fd7bfc0 10 API calls 6594->6598 6597 5fc9cae4 6595->6597 6599 5fc9ca9d 6596->6599 6601 5fd7c340 10 API calls 6597->6601 6602 5fc9c9b7 6598->6602 6603 5fd7c340 10 API calls 6599->6603 6600->6586 6630 5fd302e0 6600->6630 6601->6586 6604 5fd7c340 10 API calls 6602->6604 6603->6586 6606 5fc9c9d3 6604->6606 6606->6578 6610 5fc9f9a0 6609->6610 6611 5fc9f8c6 6609->6611 6610->6571 6612 5fc9f9e0 6611->6612 6613 5fc9f975 6611->6613 6615 5fc9f8d0 6611->6615 6614 5fcbd160 15 API calls 6612->6614 6618 5fc9f952 6612->6618 6613->6618 6860 5fcbd160 6613->6860 6614->6615 6617 5fc9f904 6615->6617 6615->6618 6620 5fc9fa70 6615->6620 6622 5fc9f918 6617->6622 6841 5fcbd260 6617->6841 6618->6571 6621 5fcbd260 15 API calls 6620->6621 6621->6618 6622->6618 6623 5fc9f937 6622->6623 6625 5fcbd260 15 API calls 6622->6625 6623->6618 6624 5fc9f940 6623->6624 6626 5fcbd260 15 API calls 6623->6626 6624->6618 6627 5fcbd260 15 API calls 6624->6627 6628 5fc9f949 6624->6628 6625->6623 6626->6624 6627->6628 6628->6618 6629 5fcbd260 15 API calls 6628->6629 6629->6618 6631 5fd302ff 6630->6631 6632 5fc9c9e5 6631->6632 6653 5fdc4f80 GetLastError TlsGetValue SetLastError 6631->6653 6632->6586 6634 5fc973d0 6632->6634 6635 5fc974e0 6634->6635 6636 5fc973d8 6634->6636 6635->6586 6639 5fc973fb 6636->6639 6644 5fc97449 6636->6644 6708 5fd303f0 6636->6708 6641 5fc974cc 6639->6641 6654 5fd2fc10 6639->6654 6640 5fc9742c 6642 5fc97591 6640->6642 6643 5fc97437 6640->6643 6645 5fc97488 6640->6645 6641->6586 6642->6586 6643->6644 6647 5fd7bfc0 10 API calls 6643->6647 6644->6586 6646 5fd7bfc0 10 API calls 6645->6646 6648 5fc974b0 6646->6648 6649 5fc97568 6647->6649 6650 5fd7c340 10 API calls 6648->6650 6651 5fd7c340 10 API calls 6649->6651 6650->6641 6652 5fc97584 6651->6652 6652->6586 6653->6632 6655 5fd2fc37 6654->6655 6665 5fd2fc3b 6655->6665 6711 5fdc4f80 GetLastError TlsGetValue SetLastError 6655->6711 6658 5fd30020 6799 5fdc4f80 GetLastError TlsGetValue SetLastError 6658->6799 6660 5fdb12f0 10 API calls 6668 5fd2fc5c 6660->6668 6661 5fd3003c 6662 5fd30044 6661->6662 6663 5fd300b0 6661->6663 6671 5fdfd400 13 API calls 6662->6671 6669 5fd7bfc0 10 API calls 6663->6669 6665->6640 6668->6658 6668->6660 6668->6663 6668->6665 6670 5fd2fcb1 SwitchToFiber 6668->6670 6672 5fdc4f80 GetLastError TlsGetValue SetLastError 6668->6672 6679 5fd2fda0 6668->6679 6680 5fd3010c 6668->6680 6681 5fd2fd3d memcpy 6668->6681 6682 5fd2fec2 CreateFiber 6668->6682 6712 5fdac050 6668->6712 6718 5fdac100 6668->6718 6735 5fd2f8f0 6668->6735 6767 5fdb14d0 6668->6767 6778 5fdb1180 6668->6778 6796 5fec4530 ConvertThreadToFiber 6668->6796 6798 5fdc4fc0 TlsSetValue 6668->6798 6675 5fd300eb 6669->6675 6676 5fdac050 4 API calls 6670->6676 6671->6665 6672->6668 6677 5fd7c340 10 API calls 6675->6677 6676->6668 6677->6665 6684 5fd7bfc0 10 API calls 6679->6684 6800 5fdc4f80 GetLastError TlsGetValue SetLastError 6680->6800 6681->6668 6682->6668 6685 5fd2ffd0 6682->6685 6688 5fd2fdc1 6684->6688 6694 5fd2fff0 DeleteFiber 6685->6694 6686 5fdac050 4 API calls 6686->6668 6690 5fd7c340 10 API calls 6688->6690 6689 5fd30118 6691 5fd3011e 6689->6691 6692 5fd3015c 6689->6692 6693 5fd2fddd 6690->6693 6697 5fdfd400 13 API calls 6691->6697 6698 5fd7bfc0 10 API calls 6692->6698 6722 5fdc4f80 GetLastError TlsGetValue SetLastError 6693->6722 6694->6665 6696 5fd2fdec 6699 5fd2ff93 6696->6699 6700 5fd2fdf6 6696->6700 6697->6665 6701 5fd3017d 6698->6701 6704 5fd7bfc0 10 API calls 6699->6704 6723 5fdfd400 6700->6723 6702 5fd7c340 10 API calls 6701->6702 6702->6665 6706 5fd2ffb4 6704->6706 6705 5fd2fe26 6705->6640 6707 5fd7c340 10 API calls 6706->6707 6707->6685 6709 5fdb14d0 12 API calls 6708->6709 6710 5fd3040f 6709->6710 6710->6639 6711->6668 6714 5fdac06d 6712->6714 6713 5fdac086 6715 5fdac0ae 6713->6715 6802 5fdc4fc0 TlsSetValue 6713->6802 6714->6713 6801 5fdc4f80 GetLastError TlsGetValue SetLastError 6714->6801 6715->6668 6719 5fdac110 6718->6719 6721 5fd2fd72 SwitchToFiber 6718->6721 6719->6721 6803 5fdc4f80 GetLastError TlsGetValue SetLastError 6719->6803 6721->6686 6722->6696 6724 5fdfd411 6723->6724 6730 5fdfd43a 6723->6730 6725 5fdfd41b 6724->6725 6726 5fdfd484 6724->6726 6804 5fdfc640 6725->6804 6729 5fd7bfc0 10 API calls 6726->6729 6728 5fdfd429 6728->6730 6732 5fdfd453 memmove 6728->6732 6731 5fdfd4a5 6729->6731 6730->6705 6733 5fd7c340 10 API calls 6731->6733 6732->6730 6734 5fdfd4c1 6733->6734 6734->6705 6736 5fd2fa40 6735->6736 6737 5fd2f905 6735->6737 6738 5fd7bfc0 10 API calls 6736->6738 6739 5fdb1180 19 API calls 6737->6739 6757 5fd2f925 6737->6757 6740 5fd2fa63 6738->6740 6741 5fd2f94d 6739->6741 6742 5fd7c340 10 API calls 6740->6742 6744 5fdb14d0 12 API calls 6741->6744 6741->6757 6743 5fd2fa7f 6742->6743 6743->6668 6745 5fd2f96d 6744->6745 6745->6757 6822 5fdfcb80 6745->6822 6747 5fd2f983 6748 5fd2fbb4 6747->6748 6750 5fd2f98d 6747->6750 6752 5fd7bfc0 10 API calls 6748->6752 6749 5fdb14d0 12 API calls 6749->6750 6750->6749 6754 5fd2f9a0 CreateFiber 6750->6754 6758 5fdfd400 13 API calls 6750->6758 6761 5fd2f99a 6750->6761 6753 5fd2fbd5 6752->6753 6755 5fd7c340 10 API calls 6753->6755 6754->6750 6756 5fd2fa90 6754->6756 6755->6757 6759 5fd2faab DeleteFiber 6756->6759 6757->6668 6758->6750 6759->6761 6760 5fd2fa23 6760->6757 6762 5fd7bfc0 10 API calls 6760->6762 6835 5fdc4fc0 TlsSetValue 6761->6835 6763 5fd2fb01 6762->6763 6764 5fd7c340 10 API calls 6763->6764 6766 5fd2fb1d 6764->6766 6765 5fd2fb5b DeleteFiber 6765->6766 6766->6757 6766->6765 6768 5fdb14ef 6767->6768 6769 5fdb1542 6767->6769 6771 5fdb1506 6768->6771 6773 5fdb1520 6768->6773 6770 5fdb1559 malloc 6769->6770 6777 5fdb150c 6769->6777 6770->6771 6772 5fdb1524 memset 6770->6772 6774 5fd7bfc0 10 API calls 6771->6774 6771->6777 6772->6668 6773->6772 6773->6777 6775 5fdb1586 6774->6775 6776 5fd7c340 10 API calls 6775->6776 6776->6777 6777->6668 6836 5fdc4f80 GetLastError TlsGetValue SetLastError 6778->6836 6780 5fdb1192 6781 5fdb1198 6780->6781 6783 5fdb14d0 12 API calls 6780->6783 6782 5fdb12f0 10 API calls 6781->6782 6789 5fdb11b4 6782->6789 6784 5fdb11ff 6783->6784 6784->6789 6837 5fdc4fc0 TlsSetValue 6784->6837 6786 5fdb1257 6839 5fdc4fc0 TlsSetValue 6786->6839 6788 5fdb1215 6788->6786 6788->6789 6838 5fdc4e80 EnterCriticalSection 6788->6838 6789->6668 6791 5fdb1253 6791->6786 6792 5fdfd400 13 API calls 6791->6792 6793 5fdb129e 6792->6793 6840 5fdc4ea0 LeaveCriticalSection 6793->6840 6795 5fdb12ab 6795->6781 6795->6786 6797 5fec454e 6796->6797 6797->6668 6798->6668 6799->6661 6800->6689 6801->6713 6802->6715 6803->6721 6805 5fdfc65e 6804->6805 6806 5fdfc710 6804->6806 6807 5fdfc7c5 6805->6807 6815 5fdfc67b 6805->6815 6810 5fd7bfc0 10 API calls 6806->6810 6808 5fdb14d0 12 API calls 6807->6808 6817 5fdfc6b1 6808->6817 6809 5fdfc686 6814 5fdb13c0 free 6809->6814 6809->6817 6812 5fdfc731 6810->6812 6811 5fdfc77c 6818 5fd7bfc0 10 API calls 6811->6818 6813 5fd7c340 10 API calls 6812->6813 6816 5fdfc74d 6813->6816 6814->6817 6815->6809 6815->6811 6815->6817 6816->6728 6817->6728 6819 5fdfc79d 6818->6819 6820 5fd7c340 10 API calls 6819->6820 6821 5fdfc7b9 6820->6821 6821->6728 6823 5fdb14d0 12 API calls 6822->6823 6824 5fdfcba5 6823->6824 6825 5fdfcbc3 6824->6825 6827 5fdfcc20 6824->6827 6834 5fdfcc03 6824->6834 6826 5fdfcca0 6825->6826 6828 5fdfcbdb 6825->6828 6829 5fdb14d0 12 API calls 6826->6829 6830 5fd7bfc0 10 API calls 6827->6830 6831 5fdb13c0 free 6828->6831 6828->6834 6829->6834 6832 5fdfcc41 6830->6832 6831->6834 6833 5fd7c340 10 API calls 6832->6833 6833->6834 6834->6747 6835->6760 6836->6780 6837->6788 6838->6791 6839->6789 6840->6795 6842 5fcbd271 6841->6842 6843 5fcbd320 6841->6843 6844 5fcbd27c 6842->6844 6845 5fcbd305 6842->6845 6846 5fcb8640 10 API calls 6843->6846 6848 5fcbd281 6844->6848 6849 5fcbd2c0 6844->6849 6886 5fe022f0 EnterCriticalSection 6845->6886 6850 5fcbd2f4 6846->6850 6878 5fe022f0 EnterCriticalSection 6848->6878 6880 5fcb8640 6849->6880 6854 5fcbd2f8 6850->6854 6855 600ef741 GetModuleHandleA 6850->6855 6851 5fcbd28f 6879 5fe02330 LeaveCriticalSection 6851->6879 6854->6622 6857 600ef7e9 6855->6857 6858 600ef7b9 GetProcAddress GetProcAddress 6855->6858 6857->6622 6858->6857 6859 5fcbd2b1 6859->6622 6861 5fcbd173 6860->6861 6862 5fcbd225 6860->6862 6863 5fcbd17e 6861->6863 6864 5fcbd200 6861->6864 6865 5fcb8640 10 API calls 6862->6865 6867 5fcbd183 6863->6867 6868 5fcbd1c0 6863->6868 6889 5fe022f0 EnterCriticalSection 6864->6889 6869 5fcbd1f4 6865->6869 6887 5fe022f0 EnterCriticalSection 6867->6887 6871 5fcb8640 10 API calls 6868->6871 6873 600ef741 GetModuleHandleA 6869->6873 6877 5fcbd1ac 6869->6877 6871->6869 6872 5fcbd191 6888 5fe02330 LeaveCriticalSection 6872->6888 6875 600ef7e9 6873->6875 6876 600ef7b9 GetProcAddress GetProcAddress 6873->6876 6875->6618 6876->6875 6877->6618 6878->6851 6879->6859 6881 5fcb8648 6880->6881 6882 5fd7bfc0 10 API calls 6881->6882 6883 5fcb8664 6882->6883 6884 5fd7c0e0 10 API calls 6883->6884 6885 5fcb8688 6884->6885 6885->6850 6886->6851 6887->6872 6888->6877 6889->6872 6890 5fc81c80 6892 5fc81c8f 6890->6892 6891 5fc81c9d 6892->6891 6893 5ff9f7e0 4 API calls 6892->6893 6894 600eef0a 6893->6894 6895 5ff9f7e0 4 API calls 6894->6895 6896 600eef1a 6895->6896 6897 5ff9f7e0 4 API calls 6896->6897 6898 600eef2a 6897->6898 6899 5ff9f7e0 4 API calls 6898->6899 6901 600eef3a 6899->6901 6900 5ff9f7e0 4 API calls 6900->6901 6901->6900 6937 5fc82aa0 6941 5fc82b7e 6937->6941 6938 5fc83260 6939 5fc83287 memcpy 6938->6939 6940 5fc83380 6939->6940 6943 5fc833a1 memcpy 6940->6943 6941->6938 6941->6940 6942 5fc83221 memcpy 6941->6942 6942->6938 5845 5fdb12f0 5846 5fdb1332 5845->5846 5848 5fdb130e 5845->5848 5847 5fdb1349 malloc 5846->5847 5853 5fdb1329 5846->5853 5847->5848 5849 5fdb1355 5847->5849 5848->5853 5854 5fd7bfc0 5848->5854 5855 5fd7bfd8 5854->5855 5856 5fd7c055 strlen 5855->5856 5859 5fd7c00c 5855->5859 5863 5fd7c043 5855->5863 5867 5fdb12f0 5856->5867 5858 5fd7c078 5858->5859 5860 5fd7c082 strcpy 5858->5860 5861 5fd7c090 strlen 5859->5861 5859->5863 5860->5859 5862 5fdb12f0 7 API calls 5861->5862 5862->5863 5864 5fd7c340 5863->5864 5876 5fd7c0e0 5864->5876 5866 5fd7c367 5866->5853 5868 5fdb1332 5867->5868 5870 5fdb130e 5867->5870 5869 5fdb1349 malloc 5868->5869 5875 5fdb1329 5868->5875 5869->5870 5871 5fdb1355 5869->5871 5872 5fd7bfc0 9 API calls 5870->5872 5870->5875 5871->5858 5873 5fdb1379 5872->5873 5874 5fd7c340 9 API calls 5873->5874 5874->5875 5875->5858 5877 5fd7c0ec 5876->5877 5878 5fdb13c0 free 5877->5878 5881 5fd7c137 5877->5881 5886 5fd7c16c 5877->5886 5878->5881 5879 5fd7c13f 5887 5fdb13c0 5879->5887 5880 5fd7c271 5891 5fd38a30 5880->5891 5881->5879 5881->5880 5885 5fdb13c0 free 5885->5886 5886->5866 5888 5fdb13e1 5887->5888 5889 5fdb13f8 5888->5889 5890 5fdb1440 free 5888->5890 5889->5886 5890->5889 5894 5fd37c60 5891->5894 5899 5fd37cad 5894->5899 5895 5fd37cbc 5902 5fd36700 5895->5902 5897 5fd36700 10 API calls 5897->5899 5898 5fd37cde 5898->5885 5899->5895 5899->5897 5899->5898 5911 5fd37610 5899->5911 5930 5fd36850 5899->5930 5903 5fd36713 5902->5903 5904 5fd36723 5903->5904 5905 5fd367d1 5903->5905 5906 5fd3679e 5903->5906 5904->5898 5907 5fdb12f0 9 API calls 5905->5907 5908 5fdb13c0 free 5906->5908 5909 5fd367e9 5907->5909 5908->5904 5909->5904 5910 5fd3680b memcpy 5909->5910 5910->5904 5913 5fd3765b 5911->5913 5916 5fd377d1 5911->5916 5912 5fdb12f0 7 API calls 5912->5916 5914 5fd37767 strlen 5913->5914 5914->5916 5915 5fd37a31 memcpy 5915->5916 5916->5912 5916->5915 5917 5fd36700 7 API calls 5916->5917 5918 5fd3788e 5916->5918 5921 5fdb13c0 free 5916->5921 5926 5fd37a73 5916->5926 5928 5fd3786d 5916->5928 5917->5916 5920 5fd36700 7 API calls 5918->5920 5922 5fd378d1 5918->5922 5918->5928 5919 5fd36700 7 API calls 5919->5922 5920->5918 5921->5916 5922->5919 5927 5fd37bf5 5922->5927 5922->5928 5923 5fdb12f0 7 API calls 5923->5926 5924 5fdb13c0 free 5924->5926 5925 5fd36700 7 API calls 5925->5927 5926->5923 5926->5924 5926->5928 5929 5fd37b9e memcpy 5926->5929 5927->5925 5927->5928 5928->5899 5929->5926 5953 5fd36892 5930->5953 5931 5fd36ddf 5932 5fd36700 9 API calls 5931->5932 5933 5fd36e06 5932->5933 5933->5899 5934 5fd372e0 5935 5fd36700 9 API calls 5934->5935 5939 5fd37389 5934->5939 5943 5fd37337 5935->5943 5936 5fd37474 5938 5fd36700 9 API calls 5936->5938 5946 5fd374ab 5936->5946 5937 5fd36700 9 API calls 5937->5939 5940 5fd37552 5938->5940 5939->5936 5939->5937 5941 5fd36d2f 5939->5941 5940->5941 5944 5fd37562 5940->5944 5945 5fd375d7 5940->5945 5941->5899 5942 5fd36700 9 API calls 5942->5946 5943->5939 5943->5941 5947 5fd36700 9 API calls 5943->5947 5949 5fd36700 9 API calls 5944->5949 5948 5fd36700 9 API calls 5945->5948 5946->5941 5946->5942 5947->5943 5950 5fd37583 5948->5950 5949->5950 5950->5941 5950->5946 5951 5fd36700 9 API calls 5950->5951 5951->5950 5952 5fd36ce0 5954 5fd36700 9 API calls 5952->5954 5959 5fd36cf0 5952->5959 5953->5931 5953->5934 5953->5936 5953->5941 5955 5fd36ca1 5953->5955 5954->5959 5955->5952 5956 5fd36fab 5955->5956 5958 5fd36fb3 5955->5958 5963 5fd36ffe 5955->5963 5956->5952 5956->5958 5957 5fd36700 9 API calls 5957->5959 5960 5fd36700 9 API calls 5958->5960 5962 5fd36fbf 5958->5962 5959->5934 5959->5941 5959->5957 5960->5962 5961 5fd36700 9 API calls 5961->5962 5962->5941 5962->5959 5962->5961 5963->5941 5963->5952 5964 5fdb13c0 free 5963->5964 5965 5fdb12f0 9 API calls 5963->5965 5966 5fd3712e memcpy 5963->5966 5964->5963 5965->5963 5966->5963 6130 600ca400 6131 600ca413 6130->6131 6146 600ca4d0 6130->6146 6132 600ca427 6131->6132 6133 600ca500 6131->6133 6136 600ca540 6132->6136 6137 600ca452 6132->6137 6141 600ca55a 6132->6141 6134 600ca50d 6133->6134 6135 600ca520 memset 6133->6135 6135->6134 6138 600edbf0 6 API calls 6136->6138 6139 600edbf0 6 API calls 6137->6139 6138->6141 6142 600ca46b 6139->6142 6140 600ca598 memset 6143 600ca572 6140->6143 6141->6140 6141->6143 6144 600ca4ab memmove 6142->6144 6145 600ca480 memset 6142->6145 6143->6144 6143->6146 6144->6146 6145->6144 6147 5fddb650 6150 5fdd9fc0 6147->6150 6149 5fddb687 6152 5fdda010 6150->6152 6151 5fdda03d 6151->6149 6152->6151 6153 5fd7bfc0 10 API calls 6152->6153 6154 5fdda091 6153->6154 6155 5fd7c340 10 API calls 6154->6155 6155->6151 6910 5fdd2210 6911 5fdd221b 6910->6911 6912 5fdd2239 6910->6912 6911->6912 6914 5fdd1d20 6911->6914 6915 5fdd1d54 6914->6915 6916 5fdd1dc0 6915->6916 6934 5fdc4e60 EnterCriticalSection 6915->6934 6918 5fd7bfc0 10 API calls 6916->6918 6920 5fdd1de1 6918->6920 6919 5fdd1d82 6919->6916 6921 5fdd1d86 6919->6921 6922 5fd7c340 10 API calls 6920->6922 6923 5fdd1e04 6921->6923 6926 5fdd1d8f 6921->6926 6924 5fdd1dfd 6922->6924 6936 5fdc4ea0 LeaveCriticalSection 6923->6936 6924->6912 6935 5fdc4ea0 LeaveCriticalSection 6926->6935 6927 5fdd1dae 6929 5fd7bfc0 10 API calls 6927->6929 6930 5fdd1db2 6927->6930 6931 5fdd1e32 6929->6931 6930->6912 6932 5fd7c340 10 API calls 6931->6932 6933 5fdd1e4e 6932->6933 6933->6912 6934->6919 6935->6927 6936->6927 5967 600ee260 5969 600ee286 5967->5969 5971 600ee2d2 5967->5971 5968 600ee348 5969->5971 6016 60097c80 5969->6016 5971->5968 5975 600ee53a 5971->5975 5988 600ee487 5971->5988 5996 600ee4e0 5971->5996 5972 600ee50d 5973 600ee4a0 5976 600ee7d6 5973->5976 5997 600ee4b0 5973->5997 6027 6004bac0 5975->6027 5977 6004bac0 31 API calls 5976->5977 5980 600ee7e9 5977->5980 5983 6004bc80 31 API calls 5980->5983 5982 600ee4cc 5985 60038ba0 7 API calls 5982->5985 5987 600ee7f7 5983->5987 5985->5996 5986 6004bc80 31 API calls 6002 600ee55b 5986->6002 5989 6004bc80 31 API calls 5987->5989 5988->5973 5993 600ee680 5988->5993 5988->6002 5991 600ee800 5989->5991 5990 6004bd40 31 API calls 5990->6002 5991->5997 5992 600ee9dc 5994 600ef844 abort 5992->5994 5992->5996 5993->5973 5993->5992 5993->5996 5993->5997 5999 600ee946 5993->5999 5994->5996 5996->5972 6004 600ef871 5996->6004 5997->5996 6020 60038ba0 5997->6020 5999->5993 6071 6004bd40 5999->6071 6095 6004ba50 5999->6095 6101 6004bb90 5999->6101 6000 6004bac0 31 API calls 6000->6004 6002->5986 6002->5988 6002->5990 6056 600edd60 6002->6056 6003 6004bb90 31 API calls 6003->6004 6004->6000 6004->6003 6005 600ef907 6004->6005 6006 600ef92f abort 6005->6006 6007 600edce0 6006->6007 6008 600ef93d abort 6007->6008 6009 600ef944 6008->6009 6011 600ef994 fwrite 6009->6011 6014 600ef9e7 6009->6014 6010 600ef9f3 abort free 6010->6014 6012 600ef9bd fputs 6011->6012 6013 600ef9d2 fputc 6012->6013 6013->6014 6014->6010 6015 600efa35 6014->6015 6017 60097cb8 6016->6017 6018 60097c90 6016->6018 6017->5971 6018->6017 6019 60097c9a strcmp 6018->6019 6019->6017 6021 60038bb9 6020->6021 6022 600f2382 6 API calls 6020->6022 6021->6022 6025 60038bd9 6021->6025 6023 600f23ea rand_s 6022->6023 6024 600f23e9 6022->6024 6026 600f23fe 6023->6026 6024->5982 6025->5982 6026->5982 6028 6004bad3 6027->6028 6029 6004bc80 31 API calls 6028->6029 6032 6004bae8 6028->6032 6030 6004bb6c 6029->6030 6031 6004bd40 31 API calls 6030->6031 6031->6032 6033 6004bc80 6032->6033 6034 6004bcb0 6033->6034 6035 6004bc84 6033->6035 6034->6002 6036 600ef818 abort 6035->6036 6037 6004bc94 6035->6037 6038 600ef820 6036->6038 6037->6002 6039 600ef82c abort 6038->6039 6040 600ef831 6038->6040 6039->6040 6041 600ef844 abort 6040->6041 6044 600ef849 6040->6044 6041->6044 6042 6004bac0 21 API calls 6042->6044 6043 6004bb90 21 API calls 6043->6044 6044->6042 6044->6043 6045 600ef907 6044->6045 6046 600ef92f abort 6045->6046 6047 600edce0 6046->6047 6048 600ef93d abort 6047->6048 6049 600ef944 6048->6049 6051 600ef994 fwrite 6049->6051 6054 600ef9e7 6049->6054 6050 600ef9f3 abort free 6050->6054 6052 600ef9bd fputs 6051->6052 6053 600ef9d2 fputc 6052->6053 6053->6054 6054->6050 6055 600efa35 6054->6055 6059 600edd6e 6056->6059 6057 6004bac0 31 API calls 6057->6059 6058 6004bb90 31 API calls 6058->6059 6059->6057 6059->6058 6060 600ef907 6059->6060 6061 600ef92f abort 6060->6061 6062 600edce0 6061->6062 6063 600ef93d abort 6062->6063 6064 600ef944 6063->6064 6066 600ef994 fwrite 6064->6066 6069 600ef9e7 6064->6069 6065 600ef9f3 abort free 6065->6069 6067 600ef9bd fputs 6066->6067 6068 600ef9d2 fputc 6067->6068 6068->6069 6069->6065 6070 600efa35 6069->6070 6072 6004bda0 6071->6072 6073 6004bd4d 6071->6073 6072->5999 6074 600ef810 abort 6073->6074 6078 6004bd5a 6073->6078 6075 600ef818 abort 6074->6075 6076 600ef820 6075->6076 6077 600ef82c abort 6076->6077 6079 600ef831 6076->6079 6077->6079 6078->5999 6080 600ef844 abort 6079->6080 6083 600ef849 6079->6083 6080->6083 6081 6004bac0 20 API calls 6081->6083 6082 6004bb90 20 API calls 6082->6083 6083->6081 6083->6082 6084 600ef907 6083->6084 6085 600ef92f abort 6084->6085 6086 600edce0 6085->6086 6087 600ef93d abort 6086->6087 6088 600ef944 6087->6088 6090 600ef994 fwrite 6088->6090 6093 600ef9e7 6088->6093 6089 600ef9f3 abort free 6089->6093 6091 600ef9bd fputs 6090->6091 6092 600ef9d2 fputc 6091->6092 6092->6093 6093->6089 6094 600efa35 6093->6094 6096 6004ba72 6095->6096 6097 6004bc80 31 API calls 6096->6097 6100 6004bab3 6096->6100 6098 6004bb6c 6097->6098 6099 6004bd40 31 API calls 6098->6099 6099->6100 6100->5999 6104 6004bbb8 6101->6104 6102 6004bd40 21 API calls 6102->6104 6103 6004bc68 6106 600ef82c abort 6103->6106 6108 600ef831 6103->6108 6104->6102 6104->6103 6105 6004ba50 21 API calls 6104->6105 6107 6004bc2a 6104->6107 6105->6104 6106->6108 6110 600ef818 abort 6107->6110 6111 6004bc36 6107->6111 6109 600ef844 abort 6108->6109 6114 600ef849 6108->6114 6109->6114 6110->6103 6111->5999 6112 6004bac0 21 API calls 6112->6114 6113 6004bb90 21 API calls 6113->6114 6114->6112 6114->6113 6115 600ef907 6114->6115 6116 600ef92f abort 6115->6116 6117 600edce0 6116->6117 6118 600ef93d abort 6117->6118 6119 600ef944 6118->6119 6121 600ef994 fwrite 6119->6121 6124 600ef9e7 6119->6124 6120 600ef9f3 abort free 6120->6124 6122 600ef9bd fputs 6121->6122 6123 600ef9d2 fputc 6122->6123 6123->6124 6124->6120 6125 600efa35 6124->6125 6198 600e2320 6199 600e23b2 6198->6199 6201 600e2330 6198->6201 6200 600edbf0 6 API calls 6199->6200 6200->6201 6201->6201 5714 60046b90 5730 60046850 5714->5730 5716 60046ba6 GetCurrentThreadId CreateEventA 5718 60046b9c 5716->5718 5717 60046ca3 5718->5716 5718->5717 5719 60046bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 5718->5719 5725 60046cad 5718->5725 5720 60046c60 GetThreadPriority TlsSetValue 5719->5720 5721 600f242a abort GetModuleHandleA 5719->5721 5720->5717 5720->5721 5723 600f24a9 5721->5723 5724 600f2479 GetProcAddress GetProcAddress 5721->5724 5724->5723 5742 600466e0 GetCurrentThreadId 5725->5742 5753 60046ad0 5725->5753 5727 60046cc8 TlsGetValue 5728 60046cdd 5727->5728 5729 60046ce8 5727->5729 5729->5714 5729->5721 5731 60046861 5730->5731 5732 600468b8 calloc 5731->5732 5733 6004686b 5731->5733 5735 60046872 5732->5735 5736 600468d2 5732->5736 5768 60046570 5733->5768 5776 5ff9f7e0 5735->5776 5737 60046570 3 API calls 5736->5737 5739 600468d7 5737->5739 5739->5735 5741 600468f8 free 5739->5741 5741->5735 5788 6004a980 5742->5788 5745 60046773 5746 600467f0 fprintf 5745->5746 5747 600467a1 5745->5747 5748 600467a7 5746->5748 5747->5748 5791 5ff9f980 5747->5791 5748->5725 5754 60046add 5753->5754 5755 60046b88 5753->5755 5799 600464c0 5754->5799 5755->5727 5757 60046aed 5758 60046b04 TlsAlloc 5757->5758 5759 60046b18 5757->5759 5758->5759 5760 600f2425 abort 5758->5760 5761 5ff9f7e0 4 API calls 5759->5761 5763 60046b52 fprintf 5759->5763 5766 60046b7a 5759->5766 5762 600f242a abort GetModuleHandleA 5760->5762 5761->5759 5764 600f24a9 5762->5764 5765 600f2479 GetProcAddress GetProcAddress 5762->5765 5767 5ff9f7e0 4 API calls 5763->5767 5764->5727 5765->5764 5766->5727 5767->5759 5769 6004657f 5768->5769 5770 600466a8 5768->5770 5771 60046670 realloc 5769->5771 5772 6004659e malloc 5769->5772 5774 600465b4 5769->5774 5770->5735 5771->5770 5771->5774 5772->5770 5772->5774 5773 60046622 5773->5735 5774->5773 5775 60046642 memmove 5774->5775 5775->5773 5777 5ff9f810 5776->5777 5780 5ff9f7f2 5776->5780 5784 5ff9f440 malloc 5777->5784 5778 5ff9f806 5778->5718 5780->5778 5781 5ff9f7fd 5780->5781 5783 5ff9f853 GetCurrentThreadId 5780->5783 5781->5778 5782 5ff9f828 SetEvent 5781->5782 5782->5778 5783->5778 5783->5781 5785 5ff9f49d 5784->5785 5786 5ff9f45b 5784->5786 5785->5780 5786->5785 5787 5ff9f493 free 5786->5787 5787->5785 5796 6003b640 5788->5796 5792 5ff9f993 5791->5792 5793 5ff9f9b4 free 5791->5793 5794 5ff9f99a CloseHandle 5792->5794 5795 5ff9f9a6 free 5792->5795 5793->5748 5794->5795 5795->5793 5797 6003b670 _vsnprintf 5796->5797 5798 6003b65b OutputDebugStringA abort 5796->5798 5797->5798 5798->5745 5800 600464d3 5799->5800 5801 600464dd calloc 5800->5801 5802 600464e0 5800->5802 5805 600464ed 5801->5805 5804 60046508 calloc 5802->5804 5802->5805 5804->5805 5805->5757 6156 60044390 GetModuleHandleW 6157 600443c9 6156->6157 6158 600443b1 GetProcAddress 6156->6158 6158->6157 6202 5fc83670 6204 5fc8367f 6202->6204 6203 5fc83690 6204->6203 6205 5fc85ba6 6204->6205 6207 5fc85bc7 6204->6207 6206 5ff9f7e0 4 API calls 6205->6206 6208 5fc85bbb 6206->6208 6209 5ff9f7e0 4 API calls 6207->6209 6211 600eef3a 6209->6211 6210 5ff9f7e0 4 API calls 6210->6211 6211->6210 6944 5fc81bb0 6946 5fc81bbf 6944->6946 6945 5fc81bd0 6946->6945 6947 5ff9f7e0 4 API calls 6946->6947 6948 600eee58 6947->6948 6949 5fc83d30 6951 5fc83d68 6949->6951 6950 5fc83dfd 6952 5fc83f1a memcpy 6950->6952 6956 5fc83f6c memcpy 6950->6956 6951->6950 6953 600edbf0 6 API calls 6951->6953 6952->6950 6954 5fc83dba 6953->6954 6954->6950 6955 5fc83dcc memcpy 6954->6955 6955->6950 6956->6950 6957 5fc81cb0 6958 5fc81cbf 6957->6958 6960 5fc81ce1 6958->6960 6961 5fc859f0 6958->6961 6962 5fc85a65 6961->6962 6963 5fc85a0e 6961->6963 6962->6960 6965 5fc85a23 6963->6965 6966 5fc85aaf 6963->6966 6964 5fc85a50 6967 5ff9f7e0 4 API calls 6964->6967 6965->6964 6978 5fc9bfe0 6965->6978 6969 5ff9f7e0 4 API calls 6966->6969 6967->6962 6971 600eef1a 6969->6971 6970 5fc85a4a 6970->6964 6972 5fc9f8b0 18 API calls 6970->6972 6973 5ff9f7e0 4 API calls 6971->6973 6972->6964 6974 600eef2a 6973->6974 6975 5ff9f7e0 4 API calls 6974->6975 6977 600eef3a 6975->6977 6976 5ff9f7e0 4 API calls 6976->6977 6977->6976 6979 5fc9c125 6978->6979 6980 5fc9bff5 6978->6980 6982 5fd7bfc0 10 API calls 6979->6982 6981 5fc9c046 6980->6981 6983 5fc9c16c 6980->6983 6984 5fc9c00f 6980->6984 6981->6970 6985 5fc9c146 6982->6985 6989 5fd7bfc0 10 API calls 6983->6989 6986 5fc9c083 6984->6986 6988 5fc9c0e0 6984->6988 6993 5fc9c02d 6984->6993 6987 5fd7c340 10 API calls 6985->6987 6986->6970 6987->6981 6991 5fd7bfc0 10 API calls 6988->6991 6990 5fc9c18d 6989->6990 6992 5fd7c340 10 API calls 6990->6992 6994 5fc9c101 6991->6994 6992->6981 6993->6981 6995 5fd302e0 3 API calls 6993->6995 6996 5fd7c340 10 API calls 6994->6996 6997 5fc9c095 6995->6997 6998 5fc9c11d 6996->6998 6997->6981 6999 5fc973d0 28 API calls 6997->6999 6998->6970 6999->6981 7000 5fc824b0 7001 5fc82500 7000->7001 7002 5fc826fb memcpy 7001->7002 7002->7001 6167 5fde5740 6169 5fde5759 6167->6169 6168 5fde57b6 6169->6168 6179 5fdc4e60 EnterCriticalSection 6169->6179 6171 5fde5773 6171->6168 6180 5fdc4ea0 LeaveCriticalSection 6171->6180 6173 5fde578a 6173->6168 6181 5fdc4e80 EnterCriticalSection 6173->6181 6176 5fde579b 6176->6168 6178 5fde57a9 6176->6178 6183 5fd751d0 6176->6183 6182 5fdc4ea0 LeaveCriticalSection 6178->6182 6179->6171 6180->6173 6181->6176 6182->6168 6184 5fd751e2 6183->6184 6192 5fd751f5 6183->6192 6193 5fdc4e80 EnterCriticalSection 6184->6193 6186 5fd751ef 6186->6192 6194 5fdc4ea0 LeaveCriticalSection 6186->6194 6188 5fd7521f 6189 5fd7bfc0 10 API calls 6188->6189 6188->6192 6190 5fd75244 6189->6190 6191 5fd7c340 10 API calls 6190->6191 6191->6192 6192->6178 6193->6186 6194->6188

                                                                                                                Executed Functions

                                                                                                                Function 60046B90 Relevance: 19.6, APIs: 13, Instructions: 128threadlibraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 60046BAD
                                                                                                                • CreateEventA.KERNEL32 ref: 60046BD5
                                                                                                                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 60046C17
                                                                                                                • GetCurrentThread.KERNEL32 ref: 60046C1B
                                                                                                                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 60046C23
                                                                                                                • DuplicateHandle.KERNELBASE ref: 60046C4F
                                                                                                                • GetThreadPriority.KERNEL32 ref: 60046C66
                                                                                                                • TlsSetValue.KERNEL32 ref: 60046C92
                                                                                                                • TlsGetValue.KERNEL32 ref: 60046CD0
                                                                                                                • abort.MSVCRT(?,?,?,431BDE83,60049B07), ref: 600F242A
                                                                                                                • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,60049B07), ref: 600F246C
                                                                                                                • GetProcAddress.KERNEL32 ref: 600F248C
                                                                                                                • GetProcAddress.KERNEL32 ref: 600F24A0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
                                                                                                                • String ID:
                                                                                                                • API String ID: 1214264455-0
                                                                                                                • Opcode ID: 410b62446c5b15087784118d393726af8ad3af1c6510768b0cfe24c9080fbcd1
                                                                                                                • Instruction ID: ac7813ece771cc05782aa88c49ed25db049e9b5945a9c84d3d27f128b08f52a0
                                                                                                                • Opcode Fuzzy Hash: 410b62446c5b15087784118d393726af8ad3af1c6510768b0cfe24c9080fbcd1
                                                                                                                • Instruction Fuzzy Hash: 184107B18053008FDB00AF79D98931ABFE4FF55318F014A6DE89497255E7B9D944CBA2
                                                                                                                Function 60038BA0 Relevance: 24.1, APIs: 16, Instructions: 67COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: abort
                                                                                                                • String ID:
                                                                                                                • API String ID: 4206212132-0
                                                                                                                • Opcode ID: 232a316ae62adc1f061dae762604906f509dae3dcd2c179dc4aee91837e6b265
                                                                                                                • Instruction ID: 2a3715adb601e08488ac31df6062b6679b4abacdc736da6ccf8ebbb91ca3cb3f
                                                                                                                • Opcode Fuzzy Hash: 232a316ae62adc1f061dae762604906f509dae3dcd2c179dc4aee91837e6b265
                                                                                                                • Instruction Fuzzy Hash: B901C4B151428A8BD700DF39C4C5729BFF4BF62304F850855E8404B342D738A89AD765
                                                                                                                Function 60044970 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _lock_unlockcalloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 3876498383-0
                                                                                                                • Opcode ID: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                • Instruction ID: 0c166785852f1f150ed50a268d62f77157ee5b2d2c4812f11a4bbb90c09cde79
                                                                                                                • Opcode Fuzzy Hash: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                • Instruction Fuzzy Hash: E5113AB1504211EFEB40DF28D58071ABBE4BF99200F5586B9D898CB245EB74D844CB66
                                                                                                                Function 5FDB12F0 Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 44 5fdb12f0-5fdb130c 45 5fdb130e-5fdb131d 44->45 46 5fdb1332-5fdb1334 44->46 50 5fdb132b-5fdb1331 45->50 53 5fdb131f-5fdb1321 45->53 47 5fdb1329 46->47 48 5fdb1336-5fdb133d 46->48 47->50 51 5fdb1349-5fdb1353 malloc 48->51 52 5fdb133f 48->52 54 5fdb1323-5fdb1327 51->54 55 5fdb1355-5fdb135b 51->55 52->51 53->50 53->54 54->47 56 5fdb1360-5fdb1397 call 5fd7beb0 call 5fd7bfc0 call 5fd7c340 54->56 56->50
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: malloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2803490479-0
                                                                                                                • Opcode ID: 4e4ba96908052b193defb16cc5b5637d2fe5207c36d458c477c76d7daa6c427a
                                                                                                                • Instruction ID: 11a52fbeab7588a8d8db17359b811af273bc03cd0c6fe6f7a29fdaa7497f9d4e
                                                                                                                • Opcode Fuzzy Hash: 4e4ba96908052b193defb16cc5b5637d2fe5207c36d458c477c76d7daa6c427a
                                                                                                                • Instruction Fuzzy Hash: A71161B12093019BD780BF69E98176FBBE4AF84654F444D2EE8C58B716E774E4408FD2

                                                                                                                Non-executed Functions

                                                                                                                Function 60046AD0 Relevance: 10.6, APIs: 7, Instructions: 93libraryloadermemoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 700 60046ad0-60046ad7 701 60046add-60046b02 call 600464c0 call 5ff9f4b0 700->701 702 60046b88 700->702 707 60046b04-60046b12 TlsAlloc 701->707 708 60046b40-60046b43 701->708 711 600f2425-600f2477 abort * 2 GetModuleHandleA 707->711 712 60046b18 707->712 709 60046b45-60046b78 fprintf call 5ff9f7e0 708->709 710 60046b22-60046b2c call 5ff9f7e0 708->710 719 60046b2e-60046b35 709->719 720 60046b7a-60046b80 709->720 710->719 710->720 717 600f24a9-600f24ae 711->717 718 600f2479-600f24a8 GetProcAddress * 2 711->718 712->710 718->717 719->708
                                                                                                                APIs
                                                                                                                  • Part of subcall function 600464C0: calloc.MSVCRT ref: 6004654E
                                                                                                                • TlsAlloc.KERNEL32(?,?,00000000,6004801E,?,?,?,431BDE83,60049B07), ref: 60046B04
                                                                                                                • fprintf.MSVCRT ref: 60046B69
                                                                                                                • abort.MSVCRT(?,?,?,431BDE83,60049B07), ref: 600F2425
                                                                                                                • abort.MSVCRT(?,?,?,431BDE83,60049B07), ref: 600F242A
                                                                                                                • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,60049B07), ref: 600F246C
                                                                                                                • GetProcAddress.KERNEL32 ref: 600F248C
                                                                                                                • GetProcAddress.KERNEL32 ref: 600F24A0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProcabort$AllocHandleModulecallocfprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 2703921052-0
                                                                                                                • Opcode ID: 54c4e5a1ee59cf1e43e08aee5c5431469dde0b0b896b8dbecb9d12124f035eda
                                                                                                                • Instruction ID: d8aa848e68908a6d7696209b4b49d7c978773fb05b5a79990f158b1dcb7c2e14
                                                                                                                • Opcode Fuzzy Hash: 54c4e5a1ee59cf1e43e08aee5c5431469dde0b0b896b8dbecb9d12124f035eda
                                                                                                                • Instruction Fuzzy Hash: D6316FB1905600DFDB00AF69D8C971ABFE4FF65318F01462EE58497361E7B89841CB96
                                                                                                                Function 5FC845A0 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$malloc
                                                                                                                • String ID: `
                                                                                                                • API String ID: 962570267-4168407445
                                                                                                                • Opcode ID: 54617e6cf0e739a769a6fe4b04d7bf324360dc7ced61455a20b47c441c689987
                                                                                                                • Instruction ID: 41206e7ee7ee6923ed55b2c7d090c81aa7435c59bd6cc30801b3252a49de3530
                                                                                                                • Opcode Fuzzy Hash: 54617e6cf0e739a769a6fe4b04d7bf324360dc7ced61455a20b47c441c689987
                                                                                                                • Instruction Fuzzy Hash: 72613BB190D3858ED300DF25D88031BBFE1BFD6348F114A6EE4C8A7251E7B59245DB92
                                                                                                                Function 5FC83D30 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3510742995-0
                                                                                                                • Opcode ID: 7631be70d690cbad5aceab812d89728d19d2f949dd17beb1756a3c662439505a
                                                                                                                • Instruction ID: c63c247e013262510305809d3f8d8da51ce8984b166127b1987ef2d25b17e6eb
                                                                                                                • Opcode Fuzzy Hash: 7631be70d690cbad5aceab812d89728d19d2f949dd17beb1756a3c662439505a
                                                                                                                • Instruction Fuzzy Hash: 1751B0B4D54358DFCB04DFA5C480A9EBBF4BF89308F10852EE844AB345E774A849CB91
                                                                                                                Function 5FC842D0 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3510742995-0
                                                                                                                • Opcode ID: 224dd945d00b3fc0ab9bbe8d16e05aa4b9607eeb852bfa9137488e22c9e8e443
                                                                                                                • Instruction ID: 30fcbe6c4b0b261427b8eb5804fd8cc4d88139f3b0896db89645fe435fffec3e
                                                                                                                • Opcode Fuzzy Hash: 224dd945d00b3fc0ab9bbe8d16e05aa4b9607eeb852bfa9137488e22c9e8e443
                                                                                                                • Instruction Fuzzy Hash: 8351D2B4D04358DFCB00DFA5C480A8EBBF4BF89308F11856EE844AB359E774A849CB91
                                                                                                                Function 5FC84000 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3510742995-0
                                                                                                                • Opcode ID: 809941c1d581cb8dc39b6b3b1445724cdaa2f47133f87fedc4ccd28e194aaaf0
                                                                                                                • Instruction ID: 3065ccc242f0fc54a986ef9d4dd1ec3644a37410d3b947c712038cc5dadb736c
                                                                                                                • Opcode Fuzzy Hash: 809941c1d581cb8dc39b6b3b1445724cdaa2f47133f87fedc4ccd28e194aaaf0
                                                                                                                • Instruction Fuzzy Hash: 9851CEB4D043589FCB00DFA5C480ACEBBF4BF99308F11856EE854AB345E775A849CB91
                                                                                                                Function 5FC83AE0 Relevance: 1.3, APIs: 1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1521ad2825085fff8fc75a6096d1b8867f4785f2e833fefdcb5acc12bc86f621
                                                                                                                • Instruction ID: fff8a6c72a5bee13703625dc82e4a90614b88842dff3e8e56678c0b7a29e6b94
                                                                                                                • Opcode Fuzzy Hash: 1521ad2825085fff8fc75a6096d1b8867f4785f2e833fefdcb5acc12bc86f621
                                                                                                                • Instruction Fuzzy Hash: 2531D0B05083809BC3109F29C48034BFBE5BFC9758F509A2DF9999B320D774A9498B82
                                                                                                                Function 5FC83760 Relevance: .1, Instructions: 92COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e48e6a791e94df901c83183fdace2040c9bea86b6a43ca92c1d1e16c2487ac69
                                                                                                                • Instruction ID: 969e36c6c9c431466931c3768b07244cd047a394ccded2b29a86a2539ba3cc3c
                                                                                                                • Opcode Fuzzy Hash: e48e6a791e94df901c83183fdace2040c9bea86b6a43ca92c1d1e16c2487ac69
                                                                                                                • Instruction Fuzzy Hash: 4D31E3B06087428FC705AF29C58531FBBE1BFD5208F014D2DF5849B306EB74D8498B82
                                                                                                                Function 5FC838C0 Relevance: .1, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0be8ab299d6cf77461f946d58c247347db370bcd5a4b8f92a4e81b08371a1cb7
                                                                                                                • Instruction ID: 83838eb31ebb297d6a4a1b70d45768278c55e7f49b6849013a153157ec81746d
                                                                                                                • Opcode Fuzzy Hash: 0be8ab299d6cf77461f946d58c247347db370bcd5a4b8f92a4e81b08371a1cb7
                                                                                                                • Instruction Fuzzy Hash: C831E2B06087428FC705AF29C88531FBBE1BFE5248F114D2DF5849B306EBB4D8498B92
                                                                                                                Function 6004BEB0 Relevance: .0, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                • Instruction ID: b6e4a677f8666ddca81222038f170fbd865ffbdb4ebf838b8f4e79727d32bfeb
                                                                                                                • Opcode Fuzzy Hash: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                • Instruction Fuzzy Hash: 48C08CB0C093408FC200BF38850A33CFAB0AFA3208F852CACE48023202F735C01C865B
                                                                                                                Function 60049640 Relevance: 19.8, APIs: 13, Instructions: 272timethreadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 63 60049640-60049664 64 60049852-60049863 _errno 63->64 65 6004966a 63->65 66 60049750-60049762 QueryPerformanceFrequency 65->66 67 60049710-60049717 GetSystemTimeAsFileTime 65->67 68 60049738-60049745 65->68 69 60049818-6004984c GetCurrentProcess GetProcessTimes 65->69 70 60049678-600496ac GetCurrentThread GetThreadTimes 65->70 66->64 73 60049768-6004977a QueryPerformanceCounter 66->73 72 6004971d-60049733 67->72 68->72 69->64 71 600496b2-600496be 69->71 70->64 70->71 74 600496c2-600496ed call 60035f60 71->74 72->74 73->64 76 60049780-600497fb call 60035ae0 call 60035800 73->76 81 600496f0-600496fc 74->81 76->81 86 60049801-6004980e 76->86 83 60049702-60049709 81->83 84 60049868-60049894 call 6003b380 81->84 89 60049957-60049968 _errno 84->89 90 6004989a-6004989c 84->90 86->81 91 6004990b-60049915 89->91 92 600498a2-600498f9 call 60035f60 90->92 93 60049938-60049942 90->93 94 60049917-6004991d 91->94 95 6004996a-6004998b call 6003b380 91->95 113 60049920-60049930 92->113 114 600498fb 92->114 93->95 96 60049944-60049a65 93->96 105 60049a10-60049a16 _errno 95->105 106 60049991-600499e3 FileTimeToSystemTime 95->106 100 60049be2-60049bee _errno 96->100 101 60049a6b-60049a74 96->101 107 60049bb3-60049bb8 100->107 101->100 104 60049a7a-60049a80 101->104 109 60049a82-60049aa0 GetSystemTimeAsFileTime 104->109 110 60049aa3-60049ad2 104->110 115 60049a1c-60049a21 105->115 106->105 112 600499e5-600499f3 SetSystemTime 106->112 111 60049bce-60049bd8 107->111 109->110 117 60049bcc 110->117 118 60049ad8-60049adc 110->118 119 60049bf6-60049c1e call 6003b380 call 600463d0 111->119 120 60049bda-60049be1 111->120 121 600499f5-600499ff 112->121 122 60049a23-60049a2f _errno 112->122 116 600498ff-60049906 call 60049a40 113->116 114->116 115->121 116->91 117->111 123 60049ae0-60049afe 118->123 137 60049c70-60049c75 119->137 138 60049c20-60049c29 119->138 124 60049a31-60049a36 call 6003b380 121->124 125 60049a01-60049a09 121->125 122->115 129 60049b02 call 60048010 123->129 132 60049b07-60049b0b 129->132 135 60049bc0-60049bc6 132->135 136 60049b11-60049b13 132->136 135->117 139 60049b19-60049b1b 135->139 136->123 140 60049b15 136->140 141 60049c38-60049c4c call 60046420 137->141 138->141 142 60049c2b-60049c2e 138->142 143 60049ba7-60049bad _errno 139->143 144 60049b21-60049b6f GetSystemTimeAsFileTime call 60035ce0 139->144 140->139 145 60049c30-60049c36 142->145 146 60049c5e-60049c66 142->146 143->107 152 60049bf0-60049bf4 144->152 153 60049b71-60049b99 call 60035f60 144->153 145->141 149 60049c50-60049c5a 145->149 146->141 149->141 154 60049c5c 149->154 156 60049ba1-60049ba4 152->156 153->156 154->146 156->143
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 60049678
                                                                                                                • GetThreadTimes.KERNEL32 ref: 600496A1
                                                                                                                • GetSystemTimeAsFileTime.KERNEL32 ref: 60049717
                                                                                                                • QueryPerformanceFrequency.KERNEL32 ref: 60049757
                                                                                                                • QueryPerformanceCounter.KERNEL32 ref: 6004976F
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 60049818
                                                                                                                • GetProcessTimes.KERNEL32 ref: 60049841
                                                                                                                • _errno.MSVCRT ref: 60049852
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
                                                                                                                • String ID:
                                                                                                                • API String ID: 3786581644-0
                                                                                                                • Opcode ID: d05ccea37e518d453f9e171f5e251a55345a5622f0273139ba3c70f026d55729
                                                                                                                • Instruction ID: eed120ed942123367842f8d928712e37a86d3fd297b3f0ece1a036d634c03573
                                                                                                                • Opcode Fuzzy Hash: d05ccea37e518d453f9e171f5e251a55345a5622f0273139ba3c70f026d55729
                                                                                                                • Instruction Fuzzy Hash: 61B1F1B55083019FC700DF68CA8964ABFF5FF89358F458A2EE89997314E774E944CB82
                                                                                                                Function 600454A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 158 600454a0-600454bb 159 600455f0-60045600 158->159 160 600454c1-600454c3 158->160 161 600454c5-600454c8 160->161 162 600454ce-600454e6 calloc 160->162 161->162 163 60045608-6004560d 161->163 164 600454ec-60045553 CreateSemaphoreA * 2 162->164 165 6004560f-60045614 162->165 168 60045598-600455a3 163->168 166 60045555-60045557 164->166 167 600455b7-600455b9 164->167 165->168 169 600455a8-600455b4 CloseHandle 166->169 170 60045559-60045596 InitializeCriticalSection * 3 166->170 171 600455c7-600455e5 free 167->171 172 600455bb-600455c4 CloseHandle 167->172 169->167 170->168 172->171
                                                                                                                APIs
                                                                                                                • calloc.MSVCRT ref: 600454DD
                                                                                                                • CreateSemaphoreA.KERNEL32 ref: 6004551F
                                                                                                                • CreateSemaphoreA.KERNEL32 ref: 60045546
                                                                                                                • InitializeCriticalSection.KERNEL32 ref: 60045565
                                                                                                                • InitializeCriticalSection.KERNEL32 ref: 60045570
                                                                                                                • InitializeCriticalSection.KERNEL32 ref: 6004557B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                                                                                                • String ID: l
                                                                                                                • API String ID: 2075313795-2517025534
                                                                                                                • Opcode ID: 4755ec9418ec6fb7fb2a43cefea765496c3b2ab05e821a3456f315ae67c2cdfe
                                                                                                                • Instruction ID: 53fec4f298815be43a076d7b49a6ce6b7fb52db9eadafbb7c619a5d71367f588
                                                                                                                • Opcode Fuzzy Hash: 4755ec9418ec6fb7fb2a43cefea765496c3b2ab05e821a3456f315ae67c2cdfe
                                                                                                                • Instruction Fuzzy Hash: EE418DB6904300CFEB10AF68D98836ABFE4EF81315F118A6DD9948B285E776D454CF82
                                                                                                                Function 6004BB90 Relevance: 15.2, APIs: 10, Instructions: 232COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 173 6004bb90-6004bbb3 174 6004bbb8-6004bbbc 173->174 175 6004bbc0-6004bbd4 174->175 175->175 176 6004bbd6-6004bbd8 175->176 177 6004bc64-6004bc66 176->177 178 6004bbde-6004bbe4 176->178 181 6004bc2a-6004bc34 177->181 179 6004bbe6-6004bbee 178->179 180 6004bc60-6004bc62 178->180 185 6004bc50-6004bc56 179->185 186 6004bbf0 179->186 184 6004bc05-6004bc28 call 6004bd40 call 6004ba50 180->184 182 6004bc36-6004bc3d 181->182 183 6004bc72-6004bc82 call 6003b380 181->183 202 6004bc84-6004bc8c 183->202 203 6004bcb0-6004bcb2 183->203 184->174 184->181 185->184 187 6004bc40-6004bc42 186->187 188 6004bbf2-6004bbf5 186->188 191 6004bc44-6004bc4d 187->191 192 6004bc6d 187->192 188->191 193 6004bbf7-6004bbfa 188->193 191->184 197 600ef820-600ef82a 192->197 198 6004bbfc-6004bc03 193->198 199 6004bc68 193->199 204 600ef82c abort 197->204 205 600ef831-600ef842 call 6003b380 197->205 198->184 199->197 206 6004bc8e 202->206 207 6004bcd8-6004bce3 call 60038c80 202->207 204->205 219 600ef849-600ef86f call 6003b380 call 600edce0 call 600ea710 call 600edce0 call 600edf70 205->219 220 600ef844 abort 205->220 210 6004bca0-6004bca2 206->210 211 6004bc90-6004bc92 206->211 216 6004bca4-6004bcaf call 60038c40 210->216 217 6004bcc8-6004bcca 210->217 214 6004bc94-6004bc9f call 60038c90 211->214 215 6004bcb8 211->215 222 6004bcbe-6004bcc3 215->222 223 600ef818-600ef81f abort 215->223 221 6004bccc 217->221 217->222 239 600ef8e2-600ef8e5 219->239 240 600ef871 219->240 220->219 221->223 223->197 241 600ef873-600ef893 call 6004bac0 call 6004bb90 239->241 240->241 246 600ef907-600ef911 241->246 247 600ef895-600ef8aa call 6004bb90 241->247 249 600ef925 call 6003b380 246->249 250 600ef913 call 600ee1b0 246->250 254 600ef8ac-600ef8c8 call 600edc80 247->254 255 600ef918-600ef920 call 6004be90 call 6003b380 247->255 256 600ef92a-600ef977 call 6003b380 abort call 600edce0 abort call 600edc80 call 600ee210 249->256 250->255 254->256 264 600ef8ca-600ef8dd call 600ee210 254->264 255->249 273 600ef97d-600ef9e2 call 600edce0 fwrite fputs fputc call 600ede30 256->273 274 600efa29-600efa33 call 600edce0 call 600ede30 256->274 264->239 282 600ef9e7-600ef9f1 273->282 274->282 283 600efa24 call 6003b380 282->283 284 600ef9f3-600efa0a abort free 282->284 283->274 284->283 286 600efa0c-600efa22 call 600ee1b0 call 600ede30 284->286 286->283 295 600efa35-600efa48 call 60038f90 call 600e3cf0 286->295
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ff69c2fc6999567a92813603e8b786ba5dc42b691ea617655356268685371cc9
                                                                                                                • Instruction ID: 4837673df1ff236e0ae415d3d7c617e3b017116355599ccb5b5aa2d5f1d95529
                                                                                                                • Opcode Fuzzy Hash: ff69c2fc6999567a92813603e8b786ba5dc42b691ea617655356268685371cc9
                                                                                                                • Instruction Fuzzy Hash: 50718D70548609CFC701EF79D4C676EBBE5AFB2308F41482DE484AB216DB74A845CBA7
                                                                                                                Function 60045620 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201synchronizationCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 299 60045620-6004563f 300 60045645-60045654 call 60047ac0 299->300 301 60045850-60045861 call 5ff9fdb0 299->301 308 60045710-60045718 300->308 309 6004565a 300->309 306 60045863-60045868 301->306 307 60045898-600458b2 WaitForSingleObject 301->307 310 60045890 306->310 311 6004586a-6004586c 306->311 315 600458b8-600458ba 307->315 316 600457a9-600457b3 307->316 313 6004576d-60045782 call 5ff9fdb0 308->313 314 6004571a-60045732 call 5ff9fdb0 308->314 312 6004565e-6004567f call 5ff9fe90 309->312 310->307 319 600457a4 311->319 320 60045872-60045874 311->320 331 60045685 312->331 332 600458c0 312->332 329 60045820-60045827 call 60047c90 313->329 330 60045788-6004578d 313->330 333 600457c8-600457cf 314->333 334 60045738-6004573d 314->334 315->316 317 600458f5-60045943 call 6003b380 EnterCriticalSection LeaveCriticalSection 316->317 318 600457b9-600457c2 316->318 350 60045945-60045950 317->350 351 60045958-60045980 call 60045620 EnterCriticalSection 317->351 319->316 320->316 364 600458e0-600458e5 329->364 365 6004582d-6004584b WaitForSingleObject 329->365 338 60045760-60045767 call 60047c90 330->338 339 6004578f-60045791 330->339 340 60045687-60045689 331->340 341 600456c0-600456ca 331->341 357 600458d0-600458d5 332->357 335 600457d1-600457d8 call 60047c90 333->335 336 60045752-60045757 333->336 342 600457e0-600457e2 334->342 343 60045743-60045747 334->343 335->336 374 600457de 335->374 336->316 345 60045759 336->345 338->313 338->364 354 60045814-60045816 339->354 355 60045797-6004579e call 60047c90 339->355 340->354 356 6004568f-60045692 340->356 346 60045880 341->346 347 600456d0-600456ea WaitForSingleObject 341->347 352 600457e4-600457eb call 60047c90 342->352 353 600457f8-6004580e WaitForSingleObject 342->353 343->316 358 60045749-60045750 343->358 366 60045759 call 60047e30 345->366 346->310 347->354 361 600456f0-600456f5 347->361 379 60045982-60045993 LeaveCriticalSection 351->379 380 60045998-600459a0 351->380 352->319 382 600457ed-600457ef 352->382 353->354 353->357 354->316 355->319 355->364 356->346 369 60045698-600456ad ResetEvent 356->369 357->336 358->335 358->336 361->316 373 600456fb-60045702 call 60047c90 361->373 364->319 370 600458eb 364->370 365->316 372 6004575e 366->372 369->370 377 600456b3 369->377 378 600458eb call 60047e30 370->378 372->316 373->316 387 60045708 373->387 374->319 383 600456b3 call 60047e30 377->383 385 600458f0 378->385 380->379 382->314 384 600456b8 383->384 384->312 385->319 387->319
                                                                                                                APIs
                                                                                                                  • Part of subcall function 60047AC0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000030,76ECE820), ref: 60047AD0
                                                                                                                  • Part of subcall function 5FF9FE90: WaitForMultipleObjects.KERNEL32 ref: 5FF9FF03
                                                                                                                • ResetEvent.KERNEL32 ref: 6004569F
                                                                                                                  • Part of subcall function 60047E30: TlsGetValue.KERNEL32(?,?,00000000,?,60048065,?,?,?,?,431BDE83,60049B07), ref: 60047E42
                                                                                                                • WaitForSingleObject.KERNEL32 ref: 600456DF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ValueWait$EventMultipleObjectObjectsResetSingle
                                                                                                                • String ID: (
                                                                                                                • API String ID: 2327612466-3887548279
                                                                                                                • Opcode ID: 87e19c41f7eab32f4a1b5544d67e431a0369addc79dfdaa7620c28db773181f8
                                                                                                                • Instruction ID: 52e6febd355ebc2545313069d0f8c490cfacf9d6d291744c4a4d81fe1f86e72a
                                                                                                                • Opcode Fuzzy Hash: 87e19c41f7eab32f4a1b5544d67e431a0369addc79dfdaa7620c28db773181f8
                                                                                                                • Instruction Fuzzy Hash: 9261FF7990C311CBD710AF69A58931EBEE0AFA1746F41483DE98497242EB35CC44CBAB
                                                                                                                Function 5FD37610 Relevance: 12.4, APIs: 3, Strings: 5, Instructions: 406stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 403 5fd37610-5fd37655 404 5fd379e0-5fd379e8 403->404 405 5fd3765b-5fd3765d 403->405 408 5fd379f5-5fd37a15 call 5fdb12f0 404->408 406 5fd376a0-5fd376b5 405->406 407 5fd3765f-5fd37667 405->407 411 5fd376b7-5fd376c7 406->411 409 5fd37be0-5fd37bf0 407->409 410 5fd3766d-5fd37683 407->410 419 5fd37870 408->419 420 5fd37a1b-5fd37a24 408->420 409->411 410->411 413 5fd37685-5fd37695 410->413 414 5fd376ea-5fd37710 411->414 415 5fd376c9-5fd376d4 411->415 413->411 418 5fd37714-5fd37765 call 60035f60 414->418 415->414 417 5fd376d6-5fd376e6 415->417 417->414 426 5fd37767-5fd377cb strlen 418->426 422 5fd37872-5fd37879 419->422 423 5fd37a46-5fd37a56 420->423 424 5fd37a26-5fd37a2b 420->424 428 5fd37845-5fd3784d 423->428 429 5fd37a5c 423->429 424->419 427 5fd37a31-5fd37a41 memcpy 424->427 430 5fd377d1-5fd377e8 426->430 431 5fd37990-5fd37996 426->431 427->423 433 5fd37890 428->433 434 5fd3784f-5fd37854 428->434 432 5fd37a60-5fd37a6e 429->432 435 5fd379ae-5fd379d1 call 5fd36700 430->435 436 5fd377ee-5fd377f7 430->436 438 5fd37a73-5fd37a75 431->438 439 5fd3799c-5fd379a8 431->439 432->428 437 5fd37894-5fd3789a 433->437 440 5fd37810-5fd3781d 434->440 441 5fd37856-5fd3785c 434->441 435->436 465 5fd379d7 435->465 436->437 442 5fd377fd-5fd37807 436->442 444 5fd378d5-5fd378e4 437->444 445 5fd3789c-5fd378af 437->445 446 5fd37c51 438->446 447 5fd37a7b-5fd37a8a 438->447 439->435 439->436 440->419 443 5fd3781f-5fd37824 440->443 441->419 449 5fd3785e-5fd3786b 441->449 442->434 450 5fd37880-5fd37882 443->450 451 5fd37826-5fd37828 443->451 453 5fd378fd-5fd37918 call 5fd36700 444->453 452 5fd378b0-5fd378ca call 5fd36700 445->452 454 5fd37acc-5fd37ad1 447->454 449->451 456 5fd3786d 449->456 458 5fd37884-5fd3788c 450->458 459 5fd3783d-5fd37842 450->459 462 5fd37920-5fd37926 451->462 463 5fd3782e-5fd37830 451->463 452->419 477 5fd378cc-5fd378cf 452->477 473 5fd378f0-5fd378f5 453->473 474 5fd3791a 453->474 460 5fd37ad3-5fd37ad9 454->460 461 5fd37a90-5fd37a96 454->461 456->419 458->434 467 5fd3788e 458->467 459->428 460->419 469 5fd37adf-5fd37ae5 460->469 461->419 472 5fd37a9c-5fd37aa1 461->472 462->419 468 5fd3792c-5fd37947 462->468 463->428 470 5fd37832-5fd37837 463->470 465->419 467->433 468->408 475 5fd3794d-5fd3796b call 5fdb13c0 468->475 469->419 476 5fd37aeb-5fd37aed 469->476 470->432 470->459 478 5fd37b50-5fd37b52 472->478 479 5fd37aa7-5fd37aa9 472->479 484 5fd37bf5-5fd37bfb 473->484 485 5fd378fb 473->485 474->419 475->419 496 5fd37971-5fd37985 475->496 480 5fd37aab-5fd37aad 476->480 481 5fd37aef-5fd37af5 476->481 477->452 483 5fd378d1 477->483 486 5fd37aba-5fd37abf 478->486 487 5fd37b58 478->487 479->480 479->481 488 5fd37ac3-5fd37ac6 480->488 489 5fd37aaf-5fd37ab4 480->489 481->419 491 5fd37afb-5fd37b12 481->491 483->444 492 5fd37c36-5fd37c3b 484->492 493 5fd37bfd-5fd37c0c 484->493 485->453 486->488 487->488 488->454 495 5fd37c40-5fd37c44 488->495 489->486 494 5fd37bc4-5fd37bd3 489->494 497 5fd37b60-5fd37b80 call 5fdb12f0 491->497 498 5fd37b14-5fd37b32 call 5fdb13c0 491->498 492->422 499 5fd37c15-5fd37c2f call 5fd36700 493->499 494->488 495->446 496->431 497->419 506 5fd37b86-5fd37b91 497->506 498->419 507 5fd37b38-5fd37b49 498->507 508 5fd37c31 499->508 509 5fd37c10-5fd37c13 499->509 510 5fd37b93-5fd37b98 506->510 511 5fd37bb5-5fd37bbe 506->511 507->480 508->419 509->492 509->499 510->419 512 5fd37b9e-5fd37bae memcpy 510->512 511->488 511->494 512->511
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen
                                                                                                                • String ID: $ $+$0123456789ABCDEF$0123456789abcdef
                                                                                                                • API String ID: 39653677-2690344263
                                                                                                                • Opcode ID: ee000ed938d97882d42209c615fa3d307eb042f08237b63fdef4c7dae224f58c
                                                                                                                • Instruction ID: 9018277a907f595966b0f9cece8612c1f6c9ea2228c2a7c8f742aa52d7b0cb3a
                                                                                                                • Opcode Fuzzy Hash: ee000ed938d97882d42209c615fa3d307eb042f08237b63fdef4c7dae224f58c
                                                                                                                • Instruction Fuzzy Hash: 100237B4A0C7858FC794CF29C48075ABBE1BF89344F148D2DEA989B392D775E940CB52
                                                                                                                Function 5FD2FC10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 303COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 513 5fd2fc10-5fd2fc39 call 5fdb0580 516 5fd2fc50-5fd2fc60 call 5fdc4f80 513->516 517 5fd2fc3b 513->517 521 5fd2ff00-5fd2ff1e call 5fdb1180 516->521 522 5fd2fc66-5fd2fc6b 516->522 518 5fd2fc3d-5fd2fc46 517->518 521->517 530 5fd2ff24-5fd2ff44 call 5fdb12f0 521->530 524 5fd2fcd0-5fd2fcd5 522->524 525 5fd2fc6d-5fd2fc72 522->525 526 5fd2fcd7-5fd2fce7 call 5fdc4f80 524->526 527 5fd2fc74-5fd2fc7a 524->527 525->526 525->527 539 5fd2fe50-5fd2fe66 call 5fd2f8f0 526->539 540 5fd2fced-5fd2fcfb call 5fdfd650 526->540 531 5fd2fc80-5fd2fc83 527->531 532 5fd30020-5fd3003e call 5fdc4f80 527->532 549 5fd2ff46-5fd2ff6e call 5fec4530 call 5fdc4fc0 530->549 550 5fd2ff74-5fd2ff8e call 5fdb13a0 530->550 536 5fd30090-5fd300a6 531->536 537 5fd2fc89-5fd2fc8c 531->537 544 5fd30044-5fd30077 call 5fdb13a0 call 5fdfd400 532->544 545 5fd300ca-5fd30107 call 5fd7beb0 call 5fd7bfc0 call 5fd7c340 532->545 536->518 542 5fd2fc92-5fd2fc97 537->542 543 5fd300b0-5fd300bd call 5fd7beb0 537->543 563 5fd2fe68-5fd2fe74 call 5fdc4f80 539->563 564 5fd2fe8c-5fd2fe98 539->564 565 5fd2fe80-5fd2fe85 540->565 566 5fd2fd01-5fd2fd0a 540->566 542->517 551 5fd2fc99-5fd2fcab call 5fdac050 542->551 543->545 584 5fd3007c-5fd3008a 544->584 545->584 549->522 549->550 550->518 570 5fd2fda0-5fd2fdf0 call 5fd7beb0 call 5fd7bfc0 call 5fd7c340 call 5fdc4f80 551->570 571 5fd2fcb1-5fd2fccd SwitchToFiber call 5fdac050 551->571 563->565 564->518 574 5fd2fea0-5fd2feb0 565->574 575 5fd2fe87-5fd2fe8a 565->575 576 5fd2fe40-5fd2fe47 566->576 577 5fd2fd10-5fd2fd37 call 5fdb12f0 566->577 623 5fd2ff93-5fd2ffd0 call 5fd7beb0 call 5fd7bfc0 call 5fd7c340 570->623 624 5fd2fdf6-5fd2fe3f call 5fdb13a0 call 5fdfd400 570->624 571->524 579 5fd2feb7 call 5fdb14d0 574->579 575->564 575->574 582 5fd2fd58-5fd2fd93 call 5fdac100 SwitchToFiber call 5fdac050 576->582 594 5fd3010c-5fd3011c call 5fdc4f80 577->594 595 5fd2fd3d-5fd2fd55 memcpy 577->595 588 5fd2febc-5fd2fec0 579->588 582->524 584->518 588->564 596 5fd2fec2-5fd2feed CreateFiber 588->596 609 5fd3011e-5fd30149 call 5fdb13a0 call 5fdfd400 594->609 610 5fd3015c-5fd30199 call 5fd7beb0 call 5fd7bfc0 call 5fd7c340 594->610 595->582 600 5fd2fef3 596->600 601 5fd2ffd5-5fd30016 call 5fdb13a0 DeleteFiber call 5fdb13a0 596->601 600->521 601->564 628 5fd3014e-5fd30157 609->628 610->628 623->601 628->518
                                                                                                                APIs
                                                                                                                • SwitchToFiber.KERNEL32(?,?,?,?,5FC81CE1,5FC970E0,?,5FC9742C,?,?,?,?,?,?,?,?), ref: 5FD2FCB9
                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,5FC81CE1,5FC970E0,?,5FC9742C,?,?,?,?,?,?,?), ref: 5FD2FD50
                                                                                                                • SwitchToFiber.KERNEL32(?,?,?,?,?,5FC81CE1,5FC970E0,?,5FC9742C,?,?,?,?,?,?,?), ref: 5FD2FD7C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FiberSwitch$memcpy
                                                                                                                • String ID: `
                                                                                                                • API String ID: 148397844-2679148245
                                                                                                                • Opcode ID: 72cfa8fae357e983777cdee667dc493bab4156b7407fc3f752960c129d006c1e
                                                                                                                • Instruction ID: 852a0ae161cd9f473a9f2f9369466027b6d5a1bee920cd073db2ca94005120fa
                                                                                                                • Opcode Fuzzy Hash: 72cfa8fae357e983777cdee667dc493bab4156b7407fc3f752960c129d006c1e
                                                                                                                • Instruction Fuzzy Hash: 8FD1C3F060A7059FDB40AFA4D08471AFBE0AF54788F01892DE8D89B345DB75D885DBE2
                                                                                                                Function 60047E30 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 60046AD0: TlsAlloc.KERNEL32(?,?,00000000,6004801E,?,?,?,431BDE83,60049B07), ref: 60046B04
                                                                                                                • TlsGetValue.KERNEL32(?,?,00000000,?,60048065,?,?,?,?,431BDE83,60049B07), ref: 60047E42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 1189806713-0
                                                                                                                • Opcode ID: d3a238084a337564d40c246ac0e3f95bded7463efeb01f9a0e0b2b3a1659e8c4
                                                                                                                • Instruction ID: d1a2d334b42c2f4a544b62f2c294695b2870e45f0fa9a9d3d0febd8604eabdea
                                                                                                                • Opcode Fuzzy Hash: d3a238084a337564d40c246ac0e3f95bded7463efeb01f9a0e0b2b3a1659e8c4
                                                                                                                • Instruction Fuzzy Hash: 154151B2604601CBEB007FB9A98931A7FE1EF25218F110A79EC99C7256FB74D844C797
                                                                                                                Function 600466E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 723 600466e0-6004677a GetCurrentThreadId call 6004a980 OutputDebugStringA abort call 600463d0 728 60046780-60046782 723->728 729 60046818-6004681a 723->729 728->729 730 60046788 728->730 731 6004679d-6004679f 729->731 732 60046790-60046797 730->732 733 600467f0-60046811 fprintf 731->733 734 600467a1-600467a5 731->734 732->733 735 60046799-6004679b 732->735 736 600467a7-600467b8 call 60046420 733->736 734->736 737 600467c0-600467d0 call 5ff9f980 734->737 735->731 735->732 743 600467d2 737->743 744 600467df-600467e4 737->744 745 600467d5-600467dd free 743->745 744->745 745->736
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDebugOutputStringThreadabortfprintf
                                                                                                                • String ID: 5
                                                                                                                • API String ID: 4086887302-2226203566
                                                                                                                • Opcode ID: d459a5865718238d2f7fbe79327606cb666b39bc6e16514b4ea991f053fdaf4e
                                                                                                                • Instruction ID: f2f9ed8e71adc544c9bc360fe8d00aecb24325a23b9250955a94b962e806e000
                                                                                                                • Opcode Fuzzy Hash: d459a5865718238d2f7fbe79327606cb666b39bc6e16514b4ea991f053fdaf4e
                                                                                                                • Instruction Fuzzy Hash: 26316CB1808705DBDB10AFA4C88575EBFF4BF65308F018A3DE898A7211E7749985CB97
                                                                                                                Function 60047BB0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 746 60047bb0-60047bcb call 60046cc0 749 60047bd2-60047bd6 746->749 750 60047bcd call 60046cf0 746->750 752 60047bec-60047bff TlsGetValue 749->752 753 60047bd8-60047be6 longjmp 749->753 750->749 754 60047c01-60047c08 752->754 755 60047c2d-60047c30 _endthreadex 752->755 753->752 757 60047c6d-60047c75 754->757 758 60047c0a-60047c16 754->758 756 60047c36-60047c4b CloseHandle 755->756 759 60047c4e-60047c6b call 60046ab0 TlsSetValue 756->759 760 60047c77-60047c80 CloseHandle 757->760 761 60047c81-60047c89 757->761 762 60047c22-60047c2b 758->762 763 60047c18-60047c21 CloseHandle 758->763 759->755 760->761 761->759 762->755 762->756 763->762
                                                                                                                APIs
                                                                                                                  • Part of subcall function 60046B90: TlsGetValue.KERNEL32 ref: 60046CD0
                                                                                                                • longjmp.MSVCRT ref: 60047BE6
                                                                                                                • TlsGetValue.KERNEL32(?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE,?,?,?,00000000,?), ref: 60047BF4
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE,?,?,?,00000000), ref: 60047C1B
                                                                                                                • _endthreadex.MSVCRT(?,?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE,?,?,?,00000000), ref: 60047C30
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE,?,?,?,00000000), ref: 60047C42
                                                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE), ref: 60047C63
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,0000001C,60047D9F,?,?,?,?,00000000,60047EDE,?,?,?,00000000), ref: 60047C7A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleValue$_endthreadexlongjmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 3990644698-0
                                                                                                                • Opcode ID: 9c86d6b2149c48c6d51be8d3767fc7071d2f9b30ab49a656773b4bb8f026a57b
                                                                                                                • Instruction ID: 58582bccfbb437411b874a105c3b309d3c2af6d6b3cb808036a5eb248f0db648
                                                                                                                • Opcode Fuzzy Hash: 9c86d6b2149c48c6d51be8d3767fc7071d2f9b30ab49a656773b4bb8f026a57b
                                                                                                                • Instruction Fuzzy Hash: D121B7B1614600CFEB01AF74C9C871A7FE9EF29708F0149ADE988DB256E774D844CB96
                                                                                                                Function 600EDBF0 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: malloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2803490479-0
                                                                                                                • Opcode ID: 2161c03ad2c57941549b9d48d64c0b99bea43c5421fe6c6eb83d5dca8902339c
                                                                                                                • Instruction ID: 6cdcb10f1c3552fcc4e54384a272d7736b3c55b74fc6961a51f2b5ef8e06bfa5
                                                                                                                • Opcode Fuzzy Hash: 2161c03ad2c57941549b9d48d64c0b99bea43c5421fe6c6eb83d5dca8902339c
                                                                                                                • Instruction Fuzzy Hash: 6E212CB0618701DFD700BF79C48632EBBE4AFA5348F41882DE4C8AB256DBB49845CB57
                                                                                                                Function 5FD2F8F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `$e
                                                                                                                • API String ID: 0-2074502723
                                                                                                                • Opcode ID: 93e7e029b56ea3c8790285db04b322a81804bc745df554213c2b1ce50fbed2e5
                                                                                                                • Instruction ID: 580fd6ca1cd4086cbc184499f1aeabe9a44d3b70011a4522107a954ef465bcb4
                                                                                                                • Opcode Fuzzy Hash: 93e7e029b56ea3c8790285db04b322a81804bc745df554213c2b1ce50fbed2e5
                                                                                                                • Instruction Fuzzy Hash: 1F71C8F050A3069BDB40AFA4D48475EFBE4AF90B88F01882DE4C85B345D775D484DBE2
                                                                                                                Function 60049E70 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • calloc.MSVCRT ref: 60049E98
                                                                                                                • free.MSVCRT ref: 60049F27
                                                                                                                • free.MSVCRT ref: 60049F4F
                                                                                                                  • Part of subcall function 600454A0: calloc.MSVCRT ref: 600454DD
                                                                                                                  • Part of subcall function 600454A0: CreateSemaphoreA.KERNEL32 ref: 6004551F
                                                                                                                  • Part of subcall function 600454A0: CreateSemaphoreA.KERNEL32 ref: 60045546
                                                                                                                  • Part of subcall function 600454A0: InitializeCriticalSection.KERNEL32 ref: 60045565
                                                                                                                  • Part of subcall function 600454A0: InitializeCriticalSection.KERNEL32 ref: 60045570
                                                                                                                  • Part of subcall function 600454A0: InitializeCriticalSection.KERNEL32 ref: 6004557B
                                                                                                                • free.MSVCRT ref: 60049F97
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalInitializeSectionfree$CreateSemaphorecalloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 3430360044-3916222277
                                                                                                                • Opcode ID: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                • Instruction ID: d4ded250f34e4fa5e7112a36214a08828a89094eb6c60d680852c7155f57a2b6
                                                                                                                • Opcode Fuzzy Hash: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                • Instruction Fuzzy Hash: 6A313CB16093009FE3049F26E98435EBBE4EF94318F45887EE8888B245D376C8498B96
                                                                                                                Function 60049A40 Relevance: 6.2, APIs: 4, Instructions: 165timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$FileSystem_errno
                                                                                                                • String ID:
                                                                                                                • API String ID: 3586254970-0
                                                                                                                • Opcode ID: 2a5565a6b818dd17143566424c6d4a71e3e1914a9d6f16c10db566cd6fc5d48e
                                                                                                                • Instruction ID: c352c323cf28550a321773786d4a6ab7db95828960cafd7b4ded453e4434505e
                                                                                                                • Opcode Fuzzy Hash: 2a5565a6b818dd17143566424c6d4a71e3e1914a9d6f16c10db566cd6fc5d48e
                                                                                                                • Instruction Fuzzy Hash: 33515572608314CFC710DF69DA8470ABBE6FFD9314F118A39E89897264E774D905CB86
                                                                                                                Function 6004BD40 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • abort.MSVCRT(?,?,?,?,?,?,6004BC17), ref: 600EF810
                                                                                                                • abort.MSVCRT(?,?,?,?,?,?,6004BB6C), ref: 600EF818
                                                                                                                • abort.MSVCRT(?,?,?,?,?,?,6004BC17), ref: 600EF82C
                                                                                                                • abort.MSVCRT(?,?,?,?,?,?,6004BC17), ref: 600EF844
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: abort
                                                                                                                • String ID:
                                                                                                                • API String ID: 4206212132-0
                                                                                                                • Opcode ID: 3eb964297f571ce88608a88033ac70a80541a51bfd3be9cd2aa143f8ccd368a8
                                                                                                                • Instruction ID: a08a0de57c96446baa6214251d23e65cf8414dc6cfdfeb1e31835c6836ee58ae
                                                                                                                • Opcode Fuzzy Hash: 3eb964297f571ce88608a88033ac70a80541a51bfd3be9cd2aa143f8ccd368a8
                                                                                                                • Instruction Fuzzy Hash: 1441E0716482058FC700DF79D4817AE7BE5FFE2308F14896DE4849B21ADB31A806C7A6
                                                                                                                Function 5FF9FB30 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • QueryPerformanceCounter.KERNEL32 ref: 5FF9FB60
                                                                                                                • GetTickCount.KERNEL32 ref: 5FF9FB6D
                                                                                                                • QueryPerformanceFrequency.KERNEL32 ref: 5FF9FBD7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PerformanceQuery$CountCounterFrequencyTick
                                                                                                                • String ID:
                                                                                                                • API String ID: 713402817-0
                                                                                                                • Opcode ID: 84b0c35a97de3f2fd640774406fcad66310acc6e91501107c13287184f658e09
                                                                                                                • Instruction ID: 9a7511d43de46428283a1010dbc43173c746044d7e40f050a8285b4565bbcfdc
                                                                                                                • Opcode Fuzzy Hash: 84b0c35a97de3f2fd640774406fcad66310acc6e91501107c13287184f658e09
                                                                                                                • Instruction Fuzzy Hash: C43118B59083019FDB04EF34D58864ABFE0BF99318F018A29E898D7255E734E549CF52
                                                                                                                Function 5FD7BFC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$strcpy
                                                                                                                • String ID: B
                                                                                                                • API String ID: 2790333442-1255198513
                                                                                                                • Opcode ID: 8e3183bdad4eda313744ce643a35e653959177088111f9ab80ea28d8ff94aa23
                                                                                                                • Instruction ID: ef596f1fc39dccfb92e99bcdecba9e9aaee5c03b05c0b8ed0127a494a0e6ccc2
                                                                                                                • Opcode Fuzzy Hash: 8e3183bdad4eda313744ce643a35e653959177088111f9ab80ea28d8ff94aa23
                                                                                                                • Instruction Fuzzy Hash: 81212AF580A7059FD740AF64D48439ABBE0FF81344F45486EE9C88F202EB76E5449B92
                                                                                                                Function 600CA400 Relevance: 5.1, APIs: 4, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 600CA49E
                                                                                                                • memmove.MSVCRT(?,?,?,?,?,00000000,00000000,?,?,5FC87F62), ref: 600CA4BE
                                                                                                                • memset.MSVCRT ref: 600CA5B4
                                                                                                                  • Part of subcall function 600EDBF0: malloc.MSVCRT ref: 600EDC07
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$mallocmemmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1346079573-0
                                                                                                                • Opcode ID: c8279bf9204a0778159bf762d9e45b4f715b2bdf2661ab89fb52134b18c99cbf
                                                                                                                • Instruction ID: a2a0261bf5d94632215dacd4ceaed8260ddc0ea81de3461f57f34d0108addc9e
                                                                                                                • Opcode Fuzzy Hash: c8279bf9204a0778159bf762d9e45b4f715b2bdf2661ab89fb52134b18c99cbf
                                                                                                                • Instruction Fuzzy Hash: CA51F5B1608702CFC309DF29D58061EFBE1AFD9754F20892EE8988B355E731D949DB92
                                                                                                                Function 60045B50 Relevance: 5.1, APIs: 4, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,?,6004A59B), ref: 60045B96
                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,?,6004A59B), ref: 60045C26
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                                • String ID:
                                                                                                                • API String ID: 3168844106-0
                                                                                                                • Opcode ID: ce2bc9f63a75a81fc7534594c14dc2ce238b17ac8d798eb44db92c19587ab625
                                                                                                                • Instruction ID: acb5ea10e0d434a0b1951f0bdc5a10423303a89692aab8a347ca80ec6f286de5
                                                                                                                • Opcode Fuzzy Hash: ce2bc9f63a75a81fc7534594c14dc2ce238b17ac8d798eb44db92c19587ab625
                                                                                                                • Instruction Fuzzy Hash: A33136B5508200CFDB04EF28D8C475ABBE0EF54319F444679EC158B24AE735D984CB96
                                                                                                                Function 60045900 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,00000030,00000050,?,60045BD1), ref: 60045920
                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60045BD1), ref: 6004593C
                                                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60045BD1), ref: 60045979
                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60045BD1), ref: 60045985
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1861003019.000000005FC81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC80000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1860982127.000000005FC80000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865458228.00000000600F9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.0000000060100000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1865509119.00000000601CE000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1866784872.00000000602B5000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868108793.00000000602B6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868161375.00000000602B7000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1868191734.00000000602BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_5fc80000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                                • String ID:
                                                                                                                • API String ID: 3168844106-0
                                                                                                                • Opcode ID: 2c68b92b020cb9a5385ba627398a1583bf2dd7a62662d921ebce27bf717ec500
                                                                                                                • Instruction ID: abb7dd834fb7c615151f5baf8b6a20f99f795afeb06130178c702e5496f75ff7
                                                                                                                • Opcode Fuzzy Hash: 2c68b92b020cb9a5385ba627398a1583bf2dd7a62662d921ebce27bf717ec500
                                                                                                                • Instruction Fuzzy Hash: 6011F5B5A083148FC700EF39E98550ABBF0EF99661F02093DE98897311D231EC58CB92

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:6.6%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:82
                                                                                                                Total number of Limit Nodes:7
                                                                                                                execution_graph 6583 eab158 6584 eab160 6583->6584 6585 eab182 6584->6585 6587 eab208 6584->6587 6588 eab21c RtlExitUserThread 6587->6588 6589 eab214 6587->6589 6588->6585 6589->6588 6590 eab498 6591 eab4a0 SysAllocStringLen 6590->6591 6592 eab318 6590->6592 6593 eab2b0 6591->6593 6594 eaae18 6595 eaae1f 6594->6595 6597 eaae2f 6595->6597 6598 eab734 6595->6598 6599 eab738 6598->6599 6602 eab2b0 6598->6602 6600 eab318 6599->6600 6601 eab74b SysReAllocStringLen 6599->6601 6600->6595 6601->6602 6602->6595 6550 13b1218 PostThreadMessageW 6551 13b1241 6550->6551 6540 febf2a SetThreadPriority 6541 febf53 6540->6541 6552 13b1f9e 6553 13b1fa9 6552->6553 6554 13b1fa4 6552->6554 6555 febe64 ResumeThread 6554->6555 6555->6553 6542 febd28 6543 febd3a 6542->6543 6544 febd30 6542->6544 6546 febe64 6544->6546 6547 febe6c 6546->6547 6549 febe8e 6546->6549 6548 febe78 ResumeThread 6547->6548 6547->6549 6548->6549 6549->6543 6529 13d073a 6531 13d0690 6529->6531 6530 13d0766 SleepEx 6530->6531 6531->6530 6532 13d07bc 6531->6532 6556 16d0a4a 6557 16d0a56 6556->6557 6558 16d0a6f 6557->6558 6560 16d0d60 6557->6560 6561 16d0d74 6560->6561 6562 16d0dab 6560->6562 6561->6562 6564 feb970 6561->6564 6562->6558 6565 feb976 6564->6565 6570 feba0c 6565->6570 6567 feb98d 6568 feb998 6567->6568 6569 febe64 ResumeThread 6567->6569 6568->6562 6569->6568 6571 feba1d 6570->6571 6572 feba6b 6571->6572 6575 eab18e 6571->6575 6579 eab190 6571->6579 6576 eab190 CreateThread 6575->6576 6578 eab1f5 6576->6578 6578->6572 6580 eab1ad CreateThread 6579->6580 6582 eab1f5 6580->6582 6582->6572 6603 13b150c 6606 13b1688 6603->6606 6608 13b16b3 6606->6608 6607 13b1710 6608->6607 6610 13b1150 6608->6610 6611 13b1176 6610->6611 6612 13b11bf 6611->6612 6614 febe64 ResumeThread 6611->6614 6615 13b124c 6611->6615 6612->6612 6614->6612 6622 13b1138 6615->6622 6618 13b1138 SetServiceStatus 6619 13b12a6 6618->6619 6619->6618 6620 13b132c 6619->6620 6621 feb970 3 API calls 6621->6619 6623 13b114c 6622->6623 6624 13b1147 6622->6624 6623->6621 6626 13b1034 6624->6626 6627 13b1060 SetServiceStatus 6626->6627 6629 13b10f0 6627->6629 6533 ea9a60 6535 ea9a6a 6533->6535 6534 ea9aa1 6535->6534 6536 ea9ac4 Sleep 6535->6536 6536->6534 6537 f04f3c 6538 f04f5b RegOpenKeyExW RegQueryValueExW 6537->6538

                                                                                                                Executed Functions

                                                                                                                Function 00EA9A60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53sleepCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 ea9a60-ea9a68 1 ea9a6a-ea9a71 0->1 2 ea9a73-ea9a76 0->2 1->2 3 ea9ad4-ea9add call ea9b28 1->3 4 ea9a78-ea9a7d 2->4 5 ea9a7f 2->5 10 ea9ae2-ea9ae7 3->10 7 ea9a81-ea9a9f 4->7 5->7 8 ea9aaa-ea9ac2 7->8 9 ea9aa1-ea9aa8 7->9 11 ea9acd-ea9ad2 8->11 12 ea9ac4-ea9acb Sleep 8->12 9->10 13 ea9ae9 10->13 14 ea9aef-ea9af0 10->14 11->10 12->10 13->14
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(00000000,?,00EA9B19,?,?,00EA9D58), ref: 00EA9AC6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID: gfff$gfff
                                                                                                                • API String ID: 3472027048-3084402119
                                                                                                                • Opcode ID: 6487318beef497506cce547d6419ed7a7e5fe84b49e5e6baa35296401d7428f0
                                                                                                                • Instruction ID: 390dbd6635161cd47be935e4c7885f7d943b89bac3682ae2f1855cfa1733d4aa
                                                                                                                • Opcode Fuzzy Hash: 6487318beef497506cce547d6419ed7a7e5fe84b49e5e6baa35296401d7428f0
                                                                                                                • Instruction Fuzzy Hash: 580180717045114BDB6C993DA88176C25D3F7DF301F546227E903EE2CBE975B8549243
                                                                                                                Function 00F04F3C Relevance: 3.0, APIs: 2, Instructions: 49registryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 17 f04f3c-f04f5d 19 f04f7f-f04fee RegOpenKeyExW RegQueryValueExW 17->19 20 f04f5f-f04f75 17->20 20->19
                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000002,00F050E0,00000000,00020019,?), ref: 00F04FB7
                                                                                                                • RegQueryValueExW.KERNELBASE(?,00F0513C,00000000,00000000,00000000,?,00000000,00F050CE), ref: 00F04FE5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000F03000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F03000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_f03000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: OpenQueryValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 4153817207-0
                                                                                                                • Opcode ID: 2ee0655bdb462ab317051598c028647db6b4e96559ed216c77c1c54fd38cce40
                                                                                                                • Instruction ID: bc0735bf2d108ee534cb0df44ba84a8652b1a034f865f82b67a730941ab3e3cd
                                                                                                                • Opcode Fuzzy Hash: 2ee0655bdb462ab317051598c028647db6b4e96559ed216c77c1c54fd38cce40
                                                                                                                • Instruction Fuzzy Hash: C2116570A40708ABD720DA658D42BDFB7E8EB05F00F1054A5FA08E6581E6B0DA40AF91
                                                                                                                Function 013D0658 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 22 13d0658-13d0688 24 13d0690-13d06a1 22->24 25 13d06d6-13d06df call 13d0624 24->25 26 13d06a3-13d06ab 24->26 32 13d0756-13d075a 25->32 33 13d06e1-13d06ea call 13d0624 25->33 28 13d06bd-13d06c6 call 13d0624 26->28 28->25 34 13d06c8-13d06d4 28->34 36 13d075c-13d0764 32->36 37 13d079a-13d07a4 call 13d07e4 32->37 33->32 43 13d06ec-13d06f6 33->43 34->25 39 13d06ad-13d06b9 34->39 41 13d0776-13d077f call 13d0624 36->41 45 13d07af-13d07b6 37->45 46 13d07a6-13d07ad 37->46 39->28 41->37 54 13d0781-13d078d 41->54 43->32 47 13d06f8-13d0702 43->47 45->24 51 13d07bc-13d07c4 45->51 46->45 50 13d0791-13d0793 46->50 52 13d0715-13d0730 47->52 53 13d0704-13d070b 47->53 50->37 57 13d07c9-13d07d9 51->57 52->32 59 13d0713 53->59 55 13d078f 54->55 56 13d0766-13d0772 SleepEx 54->56 55->37 56->41 59->32
                                                                                                                APIs
                                                                                                                • SleepEx.KERNELBASE(0000000A,00000000), ref: 013D076A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000013D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_13d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: e47b864ff4b1e634821928918225a97cd5229d42095318a228567bcc8b8c6d5d
                                                                                                                • Instruction ID: feaa5afcbbf618154584ef735e0af5116a0d8b2cef594a561c8e03adab9611f8
                                                                                                                • Opcode Fuzzy Hash: e47b864ff4b1e634821928918225a97cd5229d42095318a228567bcc8b8c6d5d
                                                                                                                • Instruction Fuzzy Hash: 89414D31A04204EFDB19DB68E581E9D7BE5FF46728F2640D5F504AF692D734AE00CB10
                                                                                                                Function 013B1034 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 63 13b1034-13b106a 65 13b106c-13b1071 63->65 66 13b1073-13b107a 63->66 67 13b107d-13b1089 65->67 66->67 69 13b108b-13b1095 67->69 70 13b1098 67->70 69->70 71 13b109a-13b10a0 70->71 72 13b10a7-13b10a9 70->72 71->72 73 13b10a2-13b10a5 71->73 74 13b10ac-13b10d3 72->74 73->74 75 13b10dc-13b10ee SetServiceStatus 74->75 76 13b10d5 74->76 77 13b1112-13b111a 75->77 78 13b10f0-13b110b 75->78 76->75 79 13b111f-13b112f 77->79 78->77
                                                                                                                APIs
                                                                                                                • SetServiceStatus.SECHOST(?,?), ref: 013B10E7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000013B1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 013B1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_13b1000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ServiceStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 3969395364-0
                                                                                                                • Opcode ID: d2af988a6fd65927ee09a169361aee26c4cd193d430b74d6c10dede513374955
                                                                                                                • Instruction ID: 4021bee9e437d0f33aa579d7356e67b461390d409ed4a9281bdc75c30fa1d93c
                                                                                                                • Opcode Fuzzy Hash: d2af988a6fd65927ee09a169361aee26c4cd193d430b74d6c10dede513374955
                                                                                                                • Instruction Fuzzy Hash: 4821D270F042499FDB15CF7998A07EEBBF5AB49304F044475E904EA656F73899048B64
                                                                                                                Function 00EAB190 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 84 eab190-eab1ab 85 eab1bb-eab1c9 84->85 86 eab1ad-eab1b9 84->86 89 eab1cc-eab1f3 CreateThread 85->89 86->89 90 eab1fc-eab204 89->90 91 eab1f5 89->91 91->90
                                                                                                                APIs
                                                                                                                • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00EAB1EA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2422867632-0
                                                                                                                • Opcode ID: 5e9b8c4ae29e4c043bfbe03df5a1391388585cab4babefb6f1c5df7d759cf605
                                                                                                                • Instruction ID: 2e141920cf4e37010b8d05f45b8b2b9be9b2828565c7d1082e116bbbc6adf7ca
                                                                                                                • Opcode Fuzzy Hash: 5e9b8c4ae29e4c043bfbe03df5a1391388585cab4babefb6f1c5df7d759cf605
                                                                                                                • Instruction Fuzzy Hash: FF018F72705614AFC710CF9D9884A8EBBECEB5E320F144126F518EB381D771AD008BA4
                                                                                                                Function 00EAB18E Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 92 eab18e-eab1ab 94 eab1bb-eab1c9 92->94 95 eab1ad-eab1b9 92->95 98 eab1cc-eab1f3 CreateThread 94->98 95->98 99 eab1fc-eab204 98->99 100 eab1f5 98->100 100->99
                                                                                                                APIs
                                                                                                                • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00EAB1EA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2422867632-0
                                                                                                                • Opcode ID: e91e50b9487720f1f1048f51bac5a4d11cd6e302e3515caf0c220ae9aad3b8dd
                                                                                                                • Instruction ID: 224f7b8767255e1aa6c66634608806a8943a9ab198723f39f3398623bcdce393
                                                                                                                • Opcode Fuzzy Hash: e91e50b9487720f1f1048f51bac5a4d11cd6e302e3515caf0c220ae9aad3b8dd
                                                                                                                • Instruction Fuzzy Hash: 73F0A472705614AFD710CA9D9C44A9EB7ECEB5E324F104126F918EB341D771ED0087A4
                                                                                                                Function 00FEBE64 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 101 febe64-febe6a 102 febe6c-febe70 101->102 103 febea7-febeb9 101->103 102->103 104 febe72-febe76 102->104 107 febebe-febebf 103->107 104->103 105 febe78-febe8c ResumeThread 104->105 105->107 108 febe8e-febea6 105->108
                                                                                                                APIs
                                                                                                                • ResumeThread.KERNELBASE(?), ref: 00FEBE84
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000FEB000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FEB000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_feb000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ResumeThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 947044025-0
                                                                                                                • Opcode ID: 557f73cfbc52fe109547301a185973879a8bb3248639e4379cc1017c11a1b59d
                                                                                                                • Instruction ID: bd54f53f8d0cdf6601f993b97b13402360fb3d742146520c579578d77c424665
                                                                                                                • Opcode Fuzzy Hash: 557f73cfbc52fe109547301a185973879a8bb3248639e4379cc1017c11a1b59d
                                                                                                                • Instruction Fuzzy Hash: 49F08C605042C09ADB21EBB5E8D17973BD91F85328F1C509AEA444F357C726E884F732
                                                                                                                Function 00EAB734 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 111 eab734-eab736 112 eab75b 111->112 113 eab738-eab73a 111->113 114 eab318-eab31c 113->114 115 eab740-eab745 113->115 116 eab31e-eab32b 114->116 117 eab32c 114->117 115->114 118 eab74b-eab755 SysReAllocStringLen 115->118 116->117 118->112 119 eab2b0-eab2ba 118->119 123 eab2cc 119->123 124 eab2bc-eab2c6 119->124 124->119 124->123
                                                                                                                APIs
                                                                                                                • SysReAllocStringLen.OLEAUT32(?,?,?,00EAAE29), ref: 00EAB74E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocString
                                                                                                                • String ID:
                                                                                                                • API String ID: 2525500382-0
                                                                                                                • Opcode ID: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                • Instruction ID: 9a3afd37a2eba586791afd35a1889a21c49cc9d4daa91993e4ff8ef4dc66f057
                                                                                                                • Opcode Fuzzy Hash: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                • Instruction Fuzzy Hash: 8EE0C2B4100201AEEE148A148800B3B7A6EABDF306FA8F698B4127F142DBB1BC40C734
                                                                                                                Function 00FEBF2A Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 126 febf2a-febf4e SetThreadPriority call febd10 128 febf53-febf55 126->128
                                                                                                                APIs
                                                                                                                • SetThreadPriority.KERNELBASE(?), ref: 00FEBF41
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000FEB000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FEB000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_feb000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PriorityThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2383925036-0
                                                                                                                • Opcode ID: ddd3928bc7c0e502a659399cddecb23e6645192f31935691471eb34db15abbb5
                                                                                                                • Instruction ID: d43cc30d87dd7b4ec44dc4639dd1b0bd2d60795bf0bcd8976f73f20fb7e0f709
                                                                                                                • Opcode Fuzzy Hash: ddd3928bc7c0e502a659399cddecb23e6645192f31935691471eb34db15abbb5
                                                                                                                • Instruction Fuzzy Hash: 71D0227370086D2F8328E9FEAC80CBF72CDCB8C2067208423F004C3210D229CC0143A0
                                                                                                                Function 013B1218 Relevance: 1.5, APIs: 1, Instructions: 18threadwindowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 129 13b1218-13b123f PostThreadMessageW 130 13b1241 129->130 131 13b1246-13b1248 129->131 130->131
                                                                                                                APIs
                                                                                                                • PostThreadMessageW.USER32(?,00000401,?,00000000), ref: 013B1230
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000013B1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 013B1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_13b1000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1836367815-0
                                                                                                                • Opcode ID: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                • Instruction ID: f27f85ba66f206441116e2e997ccaf093cb36628d6dc211513a57b949e0c6f3d
                                                                                                                • Opcode Fuzzy Hash: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                • Instruction Fuzzy Hash: D7D017B1204200AAF70096A99DCAF6177D8AB85718F4840A0BB0C9F293D2A5A8018264
                                                                                                                Function 00EAB498 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 132 eab498-eab49a 133 eab318-eab31c 132->133 134 eab4a0-eab4ab SysAllocStringLen 132->134 135 eab31e-eab32b 133->135 136 eab32c 133->136 137 eab2b0-eab2ba 134->137 138 eab4b1-eab4ba 134->138 135->136 143 eab2cc 137->143 144 eab2bc-eab2c6 137->144 144->137 144->143
                                                                                                                APIs
                                                                                                                • SysAllocStringLen.OLEAUT32(?,00000000,?,00EAB5F3), ref: 00EAB4A3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocString
                                                                                                                • String ID:
                                                                                                                • API String ID: 2525500382-0
                                                                                                                • Opcode ID: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                • Instruction ID: 30dc6ebcadcb3a319bf1b2060ecbc49679dc6a1ff49c9652c7bb502c06a1314e
                                                                                                                • Opcode Fuzzy Hash: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                • Instruction Fuzzy Hash: BCC012B9109602AAAE092B305901A7A6FACAD5F30A79060A9B922BD012E665F8802520
                                                                                                                Function 00EAB208 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 146 eab208-eab212 147 eab21c-eab223 RtlExitUserThread 146->147 148 eab214 146->148 148->147
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000EA9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EA9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_ea9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitThreadUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 3424019298-0
                                                                                                                • Opcode ID: 54ebe864998c7a93b4897758cc10db3d37890114d65228f3eff096be5897891e
                                                                                                                • Instruction ID: fd72341587e3f714e890991733dd04ec8918b1c11168273c957d39d5c298bf4b
                                                                                                                • Opcode Fuzzy Hash: 54ebe864998c7a93b4897758cc10db3d37890114d65228f3eff096be5897891e
                                                                                                                • Instruction Fuzzy Hash: 22C09BF120170447C72026B56DCC71D71985B4D305F54242572079E257C77D5C84CF54
                                                                                                                Function 0138859C Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 149 138859c-13885ad 150 13885bf-13885f1 149->150 151 13885af-13885b5 149->151 154 1388791-1388798 150->154 151->150 155 138879e-13887a6 154->155 156 13885f6-1388600 call 1388a98 154->156 157 13887ab-13887bb 155->157 161 138863a-138867a 156->161 162 1388602-1388614 call 1388a98 156->162 167 138867c 161->167 168 13886df-13886fd 161->168 162->161 173 1388616-138861d 162->173 171 13886d1-13886db call 1388a98 167->171 177 1388732-1388747 168->177 178 13886dd 171->178 179 138867e-1388691 call 1389bbf 171->179 173->155 176 1388623-1388634 173->176 176->155 176->161 177->154 178->177 182 1388694-138869c 179->182 182->171
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001388000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01388000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1388000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: IdThread (unknown)
                                                                                                                • API String ID: 0-2043411369
                                                                                                                • Opcode ID: f89ef15a01ca96bbb61efd791b0fc0445b27023a0865b538a9d51709ab7c0776
                                                                                                                • Instruction ID: bcf38c304edc0c9f79a21c468ecee9c6789e56efb078201ee7540ad1dbcc13a8
                                                                                                                • Opcode Fuzzy Hash: f89ef15a01ca96bbb61efd791b0fc0445b27023a0865b538a9d51709ab7c0776
                                                                                                                • Instruction Fuzzy Hash: C7419A30604344EFE712EF28C955959BBF9FB4A718BA248E4F900A7B61C734EE21DA50
                                                                                                                Function 013AC710 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 185 13ac710-13ac773 call 13ac6f0 192 13ac7a3-13ac7cb 185->192 193 13ac775-13ac783 185->193 199 13ac7da-13ac7f5 192->199 200 13ac7cd-13ac7d0 192->200 193->192 196 13ac785-13ac78a 193->196 198 13ac78f-13ac791 196->198 201 13ac79d-13ac7a1 198->201 202 13ac793-13ac798 198->202 205 13ac82d-13ac834 199->205 206 13ac7f7-13ac801 199->206 200->199 201->192 201->198 207 13ac892-13ac89a 202->207 208 13ac851-13ac859 205->208 209 13ac836-13ac849 205->209 213 13ac812-13ac825 206->213 214 13ac803-13ac80d 206->214 210 13ac89f-13ac8bc 207->210 211 13ac85e-13ac86e 208->211 209->208 213->205 214->207
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000013AC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 013AC000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_13ac000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: loopback
                                                                                                                • API String ID: 0-3546420730
                                                                                                                • Opcode ID: fefc6731d317ad73994722e839c85a7b08d076bf8295685f927d2e734160ee9a
                                                                                                                • Instruction ID: d7a0caf70fdbc20087d2b00fbb6c477a9de2a50479bfe4357dc5bb500f2d3c28
                                                                                                                • Opcode Fuzzy Hash: fefc6731d317ad73994722e839c85a7b08d076bf8295685f927d2e734160ee9a
                                                                                                                • Instruction Fuzzy Hash: 54410875A10208AFDB01DF98D89199EBBF8FF4A314F9095A5F814EB622D730EE40CB50
                                                                                                                Function 01DA67B0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 222 1da67b0-1da67d4 225 1da67d9-1da67e7 222->225 226 1da67e9-1da67ec 225->226 227 1da67ee-1da696d 225->227 226->227 228 1da67fd-1da6849 226->228 234 1da684e-1da6861 228->234
                                                                                                                Strings
                                                                                                                • TProcessMessagesThread.Execute, xrefs: 01DA67BE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001DA6000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01DA6000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1da6000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: TProcessMessagesThread.Execute
                                                                                                                • API String ID: 0-3632000192
                                                                                                                • Opcode ID: f81df19f84a5eab16f3af7bbbf7d9dc6caf686b1ec908310f1b82717a6d48a24
                                                                                                                • Instruction ID: 75a7bfeba02b78ca2bb1ea554138e49e9c4da6f2fee85c0f9f7204cf35e47dc2
                                                                                                                • Opcode Fuzzy Hash: f81df19f84a5eab16f3af7bbbf7d9dc6caf686b1ec908310f1b82717a6d48a24
                                                                                                                • Instruction Fuzzy Hash: 59216A74A04209EFD700EFA9D981A89B7F6FB49720F6082A5F814DB7A1D735ED40DB90
                                                                                                                Function 01183000 Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001183000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01183000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1183000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 675ffd105deade855efae919661d0a97c3f0e4f1d5ba0a26260af152c8aef9c2
                                                                                                                • Instruction ID: 59348ab2bc7063a7f4d406e71a4f7d5917144614e8295a8e61293879f0c3996c
                                                                                                                • Opcode Fuzzy Hash: 675ffd105deade855efae919661d0a97c3f0e4f1d5ba0a26260af152c8aef9c2
                                                                                                                • Instruction Fuzzy Hash: 0F415E34A14248EFDB09DF68D880A9DBBF2FB49B10F2585B5E815AB752D331AE41CF10
                                                                                                                Function 016D0A74 Relevance: .1, Instructions: 98COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000016D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 016D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_16d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 69f63575e3943ed07ccc07a1b61b870ba53f518463938e38efe2b4cef2152da0
                                                                                                                • Instruction ID: 9251bfee0bc69dc3db0d5eb05439728542280ea642d3213bae3490de79713c6b
                                                                                                                • Opcode Fuzzy Hash: 69f63575e3943ed07ccc07a1b61b870ba53f518463938e38efe2b4cef2152da0
                                                                                                                • Instruction Fuzzy Hash: 3E314834A08204EFE711CF68D855FA9BBF5EB4A714F2244E5F8059B752D771AE04CA24
                                                                                                                Function 016D0E78 Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000016D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 016D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_16d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0d16b9df3d8e82a6b64d91d9337a927be35b7b4735a0f0233253de8148578753
                                                                                                                • Instruction ID: 267544aa033b11c493858bda7cb8d66b44df7df425657fc7b219fcbb6239699a
                                                                                                                • Opcode Fuzzy Hash: 0d16b9df3d8e82a6b64d91d9337a927be35b7b4735a0f0233253de8148578753
                                                                                                                • Instruction Fuzzy Hash: BD21E238A04209EFC710DF58C984D99B7F5EF4A310F2581E5E845DB361DB31AD45CB41
                                                                                                                Function 016D0D60 Relevance: .1, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000016D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 016D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_16d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dc270680e34071a3d532d57c251ee27544192747b3ee465b0f0fcdc4c3b3f441
                                                                                                                • Instruction ID: ee2faa5f3491dfe97edd40831d195149893ae10d3bc99f9369bc8941cdd7dce7
                                                                                                                • Opcode Fuzzy Hash: dc270680e34071a3d532d57c251ee27544192747b3ee465b0f0fcdc4c3b3f441
                                                                                                                • Instruction Fuzzy Hash: F7114C31B816818FD760EF3DC944B9ABBE4AF9A384F14445AF589CB312C731A8458791
                                                                                                                Function 01388D2C Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001388000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01388000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1388000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                • Instruction ID: e5c53c338e3584f710dcc4d03db49fd662304db567986b8ff8a5437b1d4cc7d3
                                                                                                                • Opcode Fuzzy Hash: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                • Instruction Fuzzy Hash: 67E02273B006402BD210F75E6C41FA67B89DBDA7A4F080132FA08CF342E5235C0543E6
                                                                                                                Function 016D0E1A Relevance: .0, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000016D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 016D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_16d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d5b0aeb2f0055a18b9db57efd372f21c3d17425dc2eb75a14f97c98bfad9725f
                                                                                                                • Instruction ID: b8904a4fbac714bbf1163b75cf43139190dae53f8f4853e46f7d99c993ec21b5
                                                                                                                • Opcode Fuzzy Hash: d5b0aeb2f0055a18b9db57efd372f21c3d17425dc2eb75a14f97c98bfad9725f
                                                                                                                • Instruction Fuzzy Hash: 2AE08661B417536BE720A57D5DC07B755C4DB24724F480679BB85C6301C7A4CD444351
                                                                                                                Function 0131CF30 Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.000000000131C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0131C000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_131c000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5ad89e4fd58f34501c90f48eb14f83c983337f468b259fb8107c8e46fe43f49b
                                                                                                                • Instruction ID: ee205fd37de537db72c990a7670d8ac24e5454c5ff176ebb891d21212f2977b5
                                                                                                                • Opcode Fuzzy Hash: 5ad89e4fd58f34501c90f48eb14f83c983337f468b259fb8107c8e46fe43f49b
                                                                                                                • Instruction Fuzzy Hash: FFB092B138C2106EB51A72515C03C7A66ADD980A11F229E1EF14064484AF825880D672
                                                                                                                Function 0131CF18 Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.000000000131C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0131C000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_131c000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 750246992debca46c038d577058d59bcd365247a748fbddf9b08ccb5cd983294
                                                                                                                • Instruction ID: 9bb52bc57df9afa80222d9ee17e77665dfc8c54c6c293a75b24964c66f44233a
                                                                                                                • Opcode Fuzzy Hash: 750246992debca46c038d577058d59bcd365247a748fbddf9b08ccb5cd983294
                                                                                                                • Instruction Fuzzy Hash: 5FB092B138C2006EB51A76519D03C7A66ADC980A11F229A5EF14064444AF835881E6B2
                                                                                                                Function 0131CF03 Relevance: .0, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.000000000131C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0131C000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_131c000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8f8fa3752bad77ef141bf239b4dbb481ffb2723ab08760d896f18c82bfb5423a
                                                                                                                • Instruction ID: a8e4396851a3b42c3dfa507e8fbfe2810ec32f032148409b3d699b1e7f88f398
                                                                                                                • Opcode Fuzzy Hash: 8f8fa3752bad77ef141bf239b4dbb481ffb2723ab08760d896f18c82bfb5423a
                                                                                                                • Instruction Fuzzy Hash: 57B0922120D3800ED62B23A028624A87FE08C43210B1A1ADEE1C06A1529E021082D662
                                                                                                                Function 016D0E64 Relevance: .0, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000016D0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 016D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_16d0000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                • Instruction ID: 4d0077ba5c09d005fb225d897d5646f3a77ff099a7a3a6c587c4ecbf5ecf8873
                                                                                                                • Opcode Fuzzy Hash: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                • Instruction Fuzzy Hash: D8C09270B00204CFDB44FF6CC9C9A423BF4AB88209B1480A4A905CB2ABE7B0CC84CB40
                                                                                                                Function 01388C84 Relevance: .0, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001388000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01388000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1388000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                • Instruction ID: 2c3053d3924d6f84bd77e491328366c431db5d9c59e7731e86b22ff571e362d9
                                                                                                                • Opcode Fuzzy Hash: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                • Instruction Fuzzy Hash: 32B0123600030C77CF013E86DC01C497F1DAB50360B00C011F91C080219633A671B7D4
                                                                                                                Function 00FE9AAA Relevance: .0, Instructions: 5COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000FE9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FE9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_fe9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                • Instruction ID: dcab931c4a539a2eadd99cff47283e157d11fd23f3196920210e5ae52d992c9a
                                                                                                                • Opcode Fuzzy Hash: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                • Instruction Fuzzy Hash: 6BB001747001158F9F80DB28C688905B7E1BF8932131583E0A409CB336DA30EC85CF81
                                                                                                                Function 01389BBF Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001388000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01388000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1388000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                • Instruction ID: e37a22a636c647a65989cd8d042f63f4fdbce9049d2fd2c36bb86874a4dfcac3
                                                                                                                • Opcode Fuzzy Hash: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                • Instruction Fuzzy Hash: C7A0223023800BCFCE00BF38C08A800F3A0FE2030C3E000E080880B020CB2AE800CF80

                                                                                                                Non-executed Functions

                                                                                                                Function 013AC8E8 Relevance: 15.2, Strings: 12, Instructions: 159COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • font-family: Courier New, monospace;, xrefs: 013AC940
                                                                                                                • font-size: 100%;, xrefs: 013AC94A
                                                                                                                • body {, xrefs: 013AC936
                                                                                                                • font-size: 130%;, xrefs: 013AC972
                                                                                                                • h1 {, xrefs: 013AC968
                                                                                                                • background-color: #FFFFFF;, xrefs: 013AC954
                                                                                                                • textarea {, xrefs: 013AC990
                                                                                                                • <style type="text/css">, xrefs: 013AC92C
                                                                                                                • display: none;, xrefs: 013AC99A
                                                                                                                • margin: 0px 0px 0px 0px;, xrefs: 013AC97C
                                                                                                                • </title>, xrefs: 013AC922
                                                                                                                • <head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na, xrefs: 013AC90F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.00000000013AC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 013AC000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_13ac000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: </title>$<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na$<style type="text/css">$background-color: #FFFFFF;$body {$display: none;$font-family: Courier New, monospace;$font-size: 100%;$font-size: 130%;$h1 {$margin: 0px 0px 0px 0px;$textarea {
                                                                                                                • API String ID: 0-3743830688
                                                                                                                • Opcode ID: 8e8e836ae195940e9daba1eee2dda8589356b51cae7479284fda96184375b69a
                                                                                                                • Instruction ID: bbaea344f6381d6d1f92c8849381f91834508389ea79c10fba2feae3a4caa7d5
                                                                                                                • Opcode Fuzzy Hash: 8e8e836ae195940e9daba1eee2dda8589356b51cae7479284fda96184375b69a
                                                                                                                • Instruction Fuzzy Hash: 55412120BCA340BEC606BA935C63E8B7FB9C2A9D5DEC0771CF15471F47D5D265189288
                                                                                                                Function 01DA615C Relevance: 6.4, Strings: 5, Instructions: 154COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000001DA6000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01DA6000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_1da6000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: closed_by_user$error_code$network_load$ra_session_id$show_duration_in_sec
                                                                                                                • API String ID: 0-946321287
                                                                                                                • Opcode ID: 7c118d3ab9100935730ae7f2ead3cdec0a235dd96a0756df732ddbea9631925b
                                                                                                                • Instruction ID: 00b706f6a455e7187a36281df6c6da51fc04345e1c2c76c553acc93bd207e95b
                                                                                                                • Opcode Fuzzy Hash: 7c118d3ab9100935730ae7f2ead3cdec0a235dd96a0756df732ddbea9631925b
                                                                                                                • Instruction Fuzzy Hash: DC61C534A00209DFCB04DF94C9859DDBBF5FF89304FA445A5E801AB265DB70AE8ACF51
                                                                                                                Function 00FE9594 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000FE9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FE9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_fe9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                • API String ID: 0-4145825852
                                                                                                                • Opcode ID: b2a77fd7a64f8ba648c382883fe6db98128b900a9ecf84bf2da5a5cec7475054
                                                                                                                • Instruction ID: 51d8d2a2ba1306e08375e302b7a905ebafccea9cb6b70b36bac914d813feae10
                                                                                                                • Opcode Fuzzy Hash: b2a77fd7a64f8ba648c382883fe6db98128b900a9ecf84bf2da5a5cec7475054
                                                                                                                • Instruction Fuzzy Hash: A4216B7460C2C49BDB10FF6EC88169A73D19F59354B248456F9848B347CABADC42BB71
                                                                                                                Function 00FE9593 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000011.00000002.3577851599.0000000000FE9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FE9000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_17_2_fe9000_rutserv.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                • API String ID: 0-4145825852
                                                                                                                • Opcode ID: 880549da901425c2b55bb5688e3d0ecb4ce255a8d72ce3742a54e660c2f01ef3
                                                                                                                • Instruction ID: 95c16eef6017df347181ac97e28a32ac84f5a8f560b497e99b79fee632d1a168
                                                                                                                • Opcode Fuzzy Hash: 880549da901425c2b55bb5688e3d0ecb4ce255a8d72ce3742a54e660c2f01ef3
                                                                                                                • Instruction Fuzzy Hash: D4117F3460C2C48BDB10FF6ECC8169A73D19F59354B244455F8848B347CA76DC02AB60

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:7%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:51
                                                                                                                Total number of Limit Nodes:4
                                                                                                                execution_graph 3229 1203be0 3232 1203c0c 3229->3232 3230 1203ce1 3232->3230 3233 1203968 3232->3233 3236 120383c 3233->3236 3235 1203977 3235->3232 3237 1203855 3236->3237 3238 1203936 3237->3238 3239 120392e DispatchMessageW 3237->3239 3238->3235 3239->3238 3240 12034a0 3241 12034b4 3240->3241 3242 12034d8 3241->3242 3243 12034c8 SetWindowTextW 3241->3243 3243->3242 3282 1203950 3283 1203956 3282->3283 3284 120383c DispatchMessageW 3283->3284 3285 1203963 3283->3285 3284->3283 3244 1093ce8 3245 1093cee 3244->3245 3248 1093d20 3245->3248 3249 1093d26 3248->3249 3252 1093dbc 3249->3252 3251 1093d05 3253 1093dcd 3252->3253 3254 1093e1b 3253->3254 3257 f5af00 3253->3257 3261 f5aefe 3253->3261 3258 f5af1d CreateThread 3257->3258 3260 f5af65 3258->3260 3260->3254 3262 f5af00 CreateThread 3261->3262 3264 f5af65 3262->3264 3264->3254 3280 178b75f 3281 178b74e CloseHandle 3280->3281 3281->3280 3265 178b6c0 CreateFileW 3266 178b6fb 3265->3266 3267 178b70c 3265->3267 3268 178b74e CloseHandle 3267->3268 3268->3267 3269 120383c 3270 1203855 3269->3270 3271 1203936 3270->3271 3272 120392e DispatchMessageW 3270->3272 3272->3271 3273 f5aec8 3274 f5aed0 3273->3274 3276 f5aef2 3274->3276 3277 f5af78 3274->3277 3278 f5af84 3277->3278 3279 f5af8c RtlExitUserThread 3277->3279 3278->3279 3279->3276 3286 1203bde 3289 1203be0 3286->3289 3287 1203ce1 3288 1203968 DispatchMessageW 3288->3289 3289->3287 3289->3288

                                                                                                                Executed Functions

                                                                                                                Function 0178B6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(\\.\PIPE\RManFUSServerNotify32,40000000,00000003,00000000,00000003,00000000,00000000,00000000,0178B75A), ref: 0178B6ED
                                                                                                                • CloseHandle.KERNELBASE(000000FF,0178B761), ref: 0178B752
                                                                                                                Strings
                                                                                                                • \\.\PIPE\RManFUSServerNotify32, xrefs: 0178B6E8
                                                                                                                • Error - NotifyServer - WriteFile, xrefs: 0178B737
                                                                                                                • Error - CreateFile, xrefs: 0178B6FB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.000000000178B000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0178B000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_178b000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCreateFileHandle
                                                                                                                • String ID: Error - CreateFile$Error - NotifyServer - WriteFile$\\.\PIPE\RManFUSServerNotify32
                                                                                                                • API String ID: 3498533004-2744967546
                                                                                                                • Opcode ID: d7711b5ebe6133315bb66aef465efae38586077297ecc5b353f731038915be9c
                                                                                                                • Instruction ID: 94ee1e095fe24a8feb67388c8198f6662cadfc19a63f20af622d302a66553e09
                                                                                                                • Opcode Fuzzy Hash: d7711b5ebe6133315bb66aef465efae38586077297ecc5b353f731038915be9c
                                                                                                                • Instruction Fuzzy Hash: 8B11A170A80304BFE721FBE9DC52B5DB7F8EB49B10F2045A2FA10D7681D6745A009B61
                                                                                                                Function 0120383C Relevance: 1.6, APIs: 1, Instructions: 105windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 33 120383c-1203857 35 1203945-120394c 33->35 36 120385d-1203861 33->36 37 1203871 36->37 38 1203863-120386b 36->38 39 1203873-120387c 37->39 38->37 43 120386d-120386f 38->43 41 1203894-12038a7 39->41 42 120387e-1203892 39->42 46 12038a8-12038aa 41->46 42->46 43->39 46->35 47 12038b0-12038b6 46->47 48 12038bc-12038c8 47->48 49 120393e 47->49 50 12038da-12038e5 48->50 51 12038ca-12038ce 48->51 49->35 50->35 53 12038e7-12038f2 call 12036d8 50->53 51->50 53->35 56 12038f4-12038f8 53->56 56->35 57 12038fa-1203905 call 1203590 56->57 57->35 60 1203907-1203912 call 12035e0 57->60 60->35 63 1203914-120391f call 1203548 60->63 63->35 66 1203921-120392c 63->66 68 1203936-120393c 66->68 69 120392e-1203934 DispatchMessageW 66->69 68->35 69->35
                                                                                                                APIs
                                                                                                                • DispatchMessageW.USER32(?,?,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 0120392F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001203000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01203000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1203000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DispatchMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 2061451462-0
                                                                                                                • Opcode ID: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                • Instruction ID: 8a47f63fe519463e1c1c0db6188fadf74a6c1692e6caaae940c1e359401c1289
                                                                                                                • Opcode Fuzzy Hash: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                • Instruction Fuzzy Hash: 8F2126207243062FFB33E92D0C46F7AAA9A6F93F64F144259F6C0971C3CA9A94064262
                                                                                                                Function 00F5AF00 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 71 f5af00-f5af1b 72 f5af1d-f5af29 71->72 73 f5af2b-f5af39 71->73 76 f5af3c-f5af63 CreateThread 72->76 73->76 77 f5af65 76->77 78 f5af6c-f5af74 76->78 77->78
                                                                                                                APIs
                                                                                                                • CreateThread.KERNEL32(?,?,Function_00001EC8,00000000,?,?), ref: 00F5AF5A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000000F59000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F59000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_f59000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2422867632-0
                                                                                                                • Opcode ID: 5f264b4e1e8430116800991fb07f92f7cafac2e05aeb0b082728c433190a76cb
                                                                                                                • Instruction ID: 8f2e88961dc3dd0b193018ff8e3f5c4c8018a0b07de77fd3937fb0015bcc4f86
                                                                                                                • Opcode Fuzzy Hash: 5f264b4e1e8430116800991fb07f92f7cafac2e05aeb0b082728c433190a76cb
                                                                                                                • Instruction Fuzzy Hash: 51018F72B04214AFC710DA9DA880A8ABBECAB58362F108126FA18DB381D674DD0497A1
                                                                                                                Function 00F5AEFE Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 79 f5aefe-f5af1b 81 f5af1d-f5af29 79->81 82 f5af2b-f5af39 79->82 85 f5af3c-f5af63 CreateThread 81->85 82->85 86 f5af65 85->86 87 f5af6c-f5af74 85->87 86->87
                                                                                                                APIs
                                                                                                                • CreateThread.KERNEL32(?,?,Function_00001EC8,00000000,?,?), ref: 00F5AF5A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000000F59000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F59000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_f59000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2422867632-0
                                                                                                                • Opcode ID: d0a3cd1c0602314dd9f562361558043f6cc88cfa6ea68eeb506d182cbc0a14d9
                                                                                                                • Instruction ID: 8c3098be42c811a381dcdef7e3d5e983725d7ef854891580db4df53f9f7eaa7c
                                                                                                                • Opcode Fuzzy Hash: d0a3cd1c0602314dd9f562361558043f6cc88cfa6ea68eeb506d182cbc0a14d9
                                                                                                                • Instruction Fuzzy Hash: 4FF0C272B04214AFC710CA9DAC80E9ABBECDB18372F108226FE08D7380D771DD0497A4
                                                                                                                Function 012034A0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 88 12034a0-12034b4 90 12034b6-12034bd 88->90 91 12034f9-12034fc 88->91 92 12034ec-12034f2 90->92 93 12034bf-12034c6 90->93 92->91 94 12034d8-12034e6 93->94 95 12034c8-12034d6 SetWindowTextW 93->95 94->92 95->92
                                                                                                                APIs
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 012034D1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001203000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01203000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1203000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: TextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 530164218-0
                                                                                                                • Opcode ID: 6d2c2957dbb299073f95a2d6050d4ab237cf5d545e63552985fa721db800645d
                                                                                                                • Instruction ID: 91f625c443ec7219d0839a62da8bfee9d27f33ae50ce27fcc4c5c14940964ab1
                                                                                                                • Opcode Fuzzy Hash: 6d2c2957dbb299073f95a2d6050d4ab237cf5d545e63552985fa721db800645d
                                                                                                                • Instruction Fuzzy Hash: 84F0A7247001101FEB13EA1C88C5BEB36D8AF89605F0C01B1FF088F287C7694C459361
                                                                                                                Function 00F5AF78 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 97 f5af78-f5af82 98 f5af84 97->98 99 f5af8c-f5af93 RtlExitUserThread 97->99 98->99
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000000F59000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F59000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_f59000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitThreadUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 3424019298-0
                                                                                                                • Opcode ID: 263846a5434938c6b73e3deca2a508e593e34cfd321bb705ba64a8eba1d0ddb4
                                                                                                                • Instruction ID: 627a72d6f9be152372750e0f5ca49d60c183840a6b7829ae5d0147f714c595e2
                                                                                                                • Opcode Fuzzy Hash: 263846a5434938c6b73e3deca2a508e593e34cfd321bb705ba64a8eba1d0ddb4
                                                                                                                • Instruction Fuzzy Hash: 84C048A12002008BC3302BBAACC8F1A76B86748226F045968B70796166C7BC8898E710
                                                                                                                Function 0178B75F Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 116 178b75f 117 178b74e-178b757 CloseHandle 116->117 117->116
                                                                                                                APIs
                                                                                                                • CloseHandle.KERNELBASE(000000FF,0178B761), ref: 0178B752
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.000000000178B000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0178B000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_178b000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 2962429428-0
                                                                                                                • Opcode ID: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                • Instruction ID: f51748d37e50349a2c52aa7ce8dd743a1bf9b300b8478913409cadb5c7b5dbc2
                                                                                                                • Opcode Fuzzy Hash: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                • Instruction Fuzzy Hash: 31A00266988307FE8A55F7E49D5686DB3685A0C3A573C1C82F223D7102C63C9AC0AA30
                                                                                                                Function 01093DBC Relevance: .1, Instructions: 88COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 142 1093dbc-1093dcb 143 1093dcd 142->143 144 1093dd5-1093dfe 142->144 143->144 146 1093e00-1093e04 144->146 147 1093e06-1093e08 144->147 146->147 148 1093e0a 146->148 149 1093e0c-1093e13 147->149 148->149 150 1093e8f-1093e9c 149->150 151 1093e15-1093e19 149->151 159 1093e9f-1093ea7 150->159 152 1093e39-1093e47 151->152 153 1093e1b-1093e37 151->153 169 1093e49 call f5af00 152->169 170 1093e49 call f5aefe 152->170 157 1093e51-1093e55 153->157 156 1093e4e 156->157 157->159 160 1093e57-1093e8d 157->160 161 1093eac-1093ebc 159->161 160->159 169->156 170->156
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001093000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01093000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1093000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 64bbe366cccd2161e889e9b2acc80e4e6bcf4696cc7eb0d80c454e699ecb87c6
                                                                                                                • Instruction ID: 00f852f14800b220c0d0d213fa57dadab201766525c0abe0adeb85297720f8fb
                                                                                                                • Opcode Fuzzy Hash: 64bbe366cccd2161e889e9b2acc80e4e6bcf4696cc7eb0d80c454e699ecb87c6
                                                                                                                • Instruction Fuzzy Hash: 2C31D470904744AEDB21EBB5CC617AB7BE4BF09300F048869E9A5CF2C1DB789548EB91
                                                                                                                Function 01093C26 Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 220 1093c26-1093c5c 223 1093c5e-1093c6f 220->223 224 1093c93-1093cc2 call 1093914 220->224 226 1093c74-1093c7c 223->226 230 1093ccc-1093cd3 224->230 231 1093cc4 224->231 226->224 233 1093cd4 230->233 231->230 233->233
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001093000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01093000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1093000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8803b3f2e17c7b2a3706b8f464595b889904ed2afb9819fbc810a3973749e997
                                                                                                                • Instruction ID: 24421d7444aa83b4d9db0de51430006c839cb47a0c351e9e454721bc982de56b
                                                                                                                • Opcode Fuzzy Hash: 8803b3f2e17c7b2a3706b8f464595b889904ed2afb9819fbc810a3973749e997
                                                                                                                • Instruction Fuzzy Hash: E6118E74608A88EFDB01CF66C92495DBBF4FB4A710B6244E4F8409B711C734AE00EF60
                                                                                                                Function 01093C28 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 234 1093c28-1093c5c 236 1093c5e-1093c6f 234->236 237 1093c93-1093cc2 call 1093914 234->237 239 1093c74-1093c7c 236->239 243 1093ccc-1093cd3 237->243 244 1093cc4 237->244 239->237 246 1093cd4 243->246 244->243 246->246
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001093000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01093000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1093000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: db948cbde0ac0f764354740d6ed9b926df8c55f359523743b6cc66541d6c4f3b
                                                                                                                • Instruction ID: a55c0db72ea9086063950a38eb7c3f3fa453cea6fefb57c175b76caa11e33663
                                                                                                                • Opcode Fuzzy Hash: db948cbde0ac0f764354740d6ed9b926df8c55f359523743b6cc66541d6c4f3b
                                                                                                                • Instruction Fuzzy Hash: 07115E74608A88EFDB05DF66C96595DBBF4FB4A710B6244E5F8409B711C734AE00EF60
                                                                                                                Function 01093D20 Relevance: .0, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.0000000001093000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01093000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_1093000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                • Instruction ID: 413c524b411b0eeceea1598cb0c03f36865f4b7b326c5a713158ff700c81836f
                                                                                                                • Opcode Fuzzy Hash: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                • Instruction Fuzzy Hash: 59D02B0270341083D610737C3C627D579845F459A2F080131FE90CF394EA0A0C0931D5
                                                                                                                Function 013ABD5C Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.00000000013AB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 013AB000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_13ab000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 65fb02be8f19407d33631b912c2f132f6bad002577eb2b62ae4f95989428bd86
                                                                                                                • Instruction ID: ec7137e870f72cc4b1f18e0ddc7f761abc9e408a4a92f5cad41ba9c36b67a64f
                                                                                                                • Opcode Fuzzy Hash: 65fb02be8f19407d33631b912c2f132f6bad002577eb2b62ae4f95989428bd86
                                                                                                                • Instruction Fuzzy Hash: FEB014D154C7047D750755115D4FC75735CC7C0715FD4451DF041C5544DD4515417477
                                                                                                                Function 013ABD74 Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000012.00000002.3575481690.00000000013AB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 013AB000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_18_2_13ab000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 39d725e79a481c8a1db167ee52a6bc5a45880010055fd71e071b60981474e3fe
                                                                                                                • Instruction ID: bb07b33412064f352a5767188b0191bb339b132a1272c6fe5275e44c3c086b41
                                                                                                                • Opcode Fuzzy Hash: 39d725e79a481c8a1db167ee52a6bc5a45880010055fd71e071b60981474e3fe
                                                                                                                • Instruction Fuzzy Hash: A3B09BD555C6046D750755115C4BC7562DCD6C1755F54451EF041C5544AD4415407476

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:6.5%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:3
                                                                                                                Total number of Limit Nodes:0
                                                                                                                execution_graph 434 1435e68 435 1435e7a CreateFileW 434->435 436 1435eaa 435->436

                                                                                                                Callgraph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                • Opacity -> Relevance
                                                                                                                • Disassembly available
                                                                                                                callgraph 0 Function_01435E40 1 Function_01435FC0 1->0 2 Function_014352C7 3 Function_014351C8 4 Function_014352D1 5 Function_01267735 6 Function_012678B2 7 Function_012671B3 8 Function_012677BE 9 Function_0126733C 10 Function_012671B8 11 Function_012678B8 12 Function_01267404 13 Function_01267385 14 Function_01267383 15 Function_01435466 16 Function_01267500 17 Function_01435E68 18 Function_01435F6C 32 Function_01435E04 18->32 19 Function_01267394 20 Function_01267915 21 Function_01267913 22 Function_01267F1E 23 Function_014357FB 24 Function_01435EFB 25 Function_01435479 26 Function_0126791D 27 Function_01435DFE 28 Function_01435EFD 29 Function_01435483 30 Function_01435001 38 Function_0143508C 30->38 31 Function_01267660 52 Function_012676CC 31->52 33 Function_0126776E 34 Function_012673EF 35 Function_012675EC 35->52 36 Function_01267868 37 Function_0143548D 38->38 39 Function_01267EF4 40 Function_01267770 41 Function_012673F1 42 Function_012674FC 43 Function_01435F1F 44 Function_01267478 45 Function_012676C7 46 Function_012677C4 47 Function_01267744 48 Function_012676C5 49 Function_012673C3 50 Function_012677C0 51 Function_014352AA 53 Function_012678CC 54 Function_012675CA 55 Function_012676CA 56 Function_012678CA 57 Function_0143502E 57->3 58 Function_01267F48 59 Function_01267148 60 Function_012675C8 61 Function_012675D7 62 Function_01267ED7 63 Function_01435030 63->3 64 Function_012675D2 65 Function_012671D0 65->52 66 Function_0126765C 67 Function_0126765A 68 Function_012672DB 68->52 69 Function_01267758 70 Function_014352BD

                                                                                                                Executed Functions

                                                                                                                Function 01435E68 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 1435e68-1435ea8 CreateFileW 2 1435eb1-1435ec5 0->2 3 1435eaa-1435eaf 0->3 5 1435eca-1435ee2 2->5 6 1435f21-1435f24 3->6 8 1435ef3 5->8 9 1435ee4-1435ee8 5->9 8->6 9->8 10 1435eea-1435eed 9->10 10->8
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(01435F28,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,01435F1A), ref: 01435E9C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.3576444228.0000000001435000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01435000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_1435000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: 270fc3a48004f24598599c0591c0e0f2675d5f408731cb192865a8d8e11d3ae0
                                                                                                                • Instruction ID: 65f17b3361beefa34d221bea66554a37aab1f11706117585065c8f915c3962c5
                                                                                                                • Opcode Fuzzy Hash: 270fc3a48004f24598599c0591c0e0f2675d5f408731cb192865a8d8e11d3ae0
                                                                                                                • Instruction Fuzzy Hash: 7C112530648304FFE7219BA8DC17F597BB4E78DB30F314696F610AA6E0DA742940D625
                                                                                                                Function 01267F48 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 11 1267f48-1267f9b 12 1267fa3-1267fad 11->12 14 1267fc1-1267fef 12->14 15 1267faf-1267fbc 12->15 15->14
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.3576444228.0000000001267000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01267000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_1267000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 107bad640b21804a5c345d59172d482a89b53379da635a18bc6c09d6bb13b275
                                                                                                                • Instruction ID: 74215126cffe109c588f2f4efad2610fedbb02fbefc31936494d9d3a7d517efb
                                                                                                                • Opcode Fuzzy Hash: 107bad640b21804a5c345d59172d482a89b53379da635a18bc6c09d6bb13b275
                                                                                                                • Instruction Fuzzy Hash: 9B114934610304EFD711CF68C995F69BBF9EB0A700F2248E4E904977A2D775AD90EA21
                                                                                                                Function 012678B8 Relevance: .0, Instructions: 7COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 29 12678b8-12678be 30 12678c6-12678c7 29->30
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.3576444228.0000000001267000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01267000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_1267000_rfusclient.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                • Instruction ID: e88ecd783f97c0105e5e91a891ff402331555bdcad27e279c66b8fe3d8a2bda2
                                                                                                                • Opcode Fuzzy Hash: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                • Instruction Fuzzy Hash: A9B0123200010C778F013F81FC00C897F1DAB20260B00C011F9480802086339571B794