Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
442.docx.exe

Overview

General Information

Sample name:442.docx.exe
renamed because original name is a hash value
Original sample name: .docx.exe
Analysis ID:1567328
MD5:fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Infos:

Detection

RMSRemoteAdmin
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Suspicious Outbound SMTP Connections
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 442.docx.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\442.docx.exe" MD5: FB8117B1A3F0924100FBC209DBBB1BB1)
    • msiexec.exe (PID: 7648 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • WINWORD.EXE (PID: 7760 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • msiexec.exe (PID: 7704 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DC073261611BDBF652B83E82DB7E8329 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • rfusclient.exe (PID: 7456 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi" MD5: CB9BE257064162076EBD4869CD97E166)
    • rutserv.exe (PID: 7676 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 5472 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 3368 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
  • sppsvc.exe (PID: 7944 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 7996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rutserv.exe (PID: 6120 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 5856 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rfusclient.exe (PID: 7560 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" MD5: CB9BE257064162076EBD4869CD97E166)
      • rfusclient.exe (PID: 3396 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
    • rfusclient.exe (PID: 7720 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
    • 0x3a1d58:$s1: rman_message
    • 0x453340:$s3: rms_host_
    • 0x453cf8:$s3: rms_host_
    • 0x816eb4:$s4: rman_av_capture_settings
    • 0x45a4c4:$s7: _rms_log.txt
    • 0x4bf3c8:$s8: rms_internet_id_settings
    C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
      • 0x39e594:$s1: rman_message
      • 0x46d594:$s3: rms_host_
      • 0x46df4c:$s3: rms_host_
      • 0x82acb0:$s4: rman_av_capture_settings
      • 0x877858:$s5: rman_registry_key
      • 0x8778a4:$s5: rman_registry_key
      • 0x543d6c:$s6: rms_system_information
      • 0x2f1a18:$s7: _rms_log.txt
      • 0x503238:$s8: rms_internet_id_settings

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        00000014.00000002.2977786114.0000000002E4A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
            00000014.00000002.2990838666.0000000004A84000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
              00000013.00000002.2974268243.0000000002E7A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                11.0.rfusclient.exe.270000.0.unpackJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                  11.0.rfusclient.exe.270000.0.unpackMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
                  • 0x3a1d58:$s1: rman_message
                  • 0x453340:$s3: rms_host_
                  • 0x453cf8:$s3: rms_host_
                  • 0x816eb4:$s4: rman_av_capture_settings
                  • 0x45a4c4:$s7: _rms_log.txt
                  • 0x4bf3c8:$s8: rms_internet_id_settings

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\442.docx.exe", CommandLine: "C:\Users\user\Desktop\442.docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\442.docx.exe, NewProcessName: C:\Users\user\Desktop\442.docx.exe, OriginalFileName: C:\Users\user\Desktop\442.docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\442.docx.exe", ProcessId: 7508, ProcessName: 442.docx.exe
                  Sigma detected: Communication To Uncommon Destination Ports
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 78.138.9.142, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: , Initiated: true, ProcessId: , Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50128
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 111.90.147.125, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Initiated: true, ProcessId: 6120, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49809
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7996, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T12:36:14.804611+010028493541Malware Command and Control Activity Detected192.168.2.449806111.90.147.12580TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD445A0 rmsEncInitSimpleEncryption,memcpy,memcpy,11_2_5FD445A0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD43760 rmsEncEncryptData,11_2_5FD43760
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD43D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,11_2_5FD43D30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD442D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,11_2_5FD442D0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD438C0 rmsEncDecryptData,11_2_5FD438C0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD43AE0 rmsEncRsaPublicEncrypt,memcpy,11_2_5FD43AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FD44000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,11_2_5FD44000
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d1908d4e-2

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 11.2.rfusclient.exe.270000.0.unpack
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\Malizia\src\vpd\setup\Release\setup.pdb source: setupdrv.exe.2.dr
                  Source: Binary string: C:\Users\Malizia\src\vpd\setup\Release\setup.pdb## source: setupdrv.exe.2.dr
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe
                  Source: Binary string: unidrv.pdb source: unidrv_rppd.dll.2.dr
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3E40BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3FB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3FB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D40FCA0 FindFirstFileExA,0_2_00007FF69D40FCA0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi11_2_60106B90
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then sub esp, 1Ch11_2_6010BEB0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi11_2_60106AD0
                  Source: winword.exeMemory has grown: Private usage: 0MB later: 85MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.4:49806 -> 111.90.147.125:80
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 111.90.147.125 ports 5651,0,465,55555,8,80
                  Source: global trafficTCP traffic: 192.168.2.4:49807 -> 111.90.147.125:5651
                  Source: global trafficTCP traffic: 192.168.2.4:49811 -> 78.138.9.142:8080
                  Source: global trafficTCP traffic: 192.168.2.4:49818 -> 95.213.205.83:5655
                  Source: global trafficTCP traffic: 192.168.2.4:49825 -> 77.223.124.212:5655
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: global trafficDNS traffic detected: DNS query: id72.internetid.ru
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmp, unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.div
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlz
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl/
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl=
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl?
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlW
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlo&
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: svchost.exe, 00000006.00000002.2988687852.0000023D54E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: rfusclient.exe, 0000000B.00000000.1846812364.00000000002BF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1960260247.000000007BA10000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.1970950737.000000007CEE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://madExcept.comU
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmp, unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3015284211.0000000003F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, 9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F51640.17.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6N
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.0000000000908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crlhnZ
                  Source: rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
                  Source: rutserv.exe, 00000011.00000003.2668508292.0000000007F16000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3025685299.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
                  Source: rutserv.exe, 00000011.00000003.2668508292.0000000007F16000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3025685299.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCUABBTLuA3ygnKW%2F7xuSx%2F0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
                  Source: rutserv.exe, 00000011.00000002.3025685299.0000000007EF0000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2670385682.0000000007EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2F
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                  Source: rutserv.exe, 00000011.00000002.2970502345.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crl
                  Source: rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/;
                  Source: rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/l
                  Source: rfusclient.exe, 00000014.00000002.2990838666.0000000004A0A000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.00000000049F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/internet-id/
                  Source: rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/nsys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/nsys.ru/pfj
                  Source: rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/pfj
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/rd
                  Source: rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2988479504.0000000004A36000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/
                  Source: rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/D
                  Source: rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/t
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: rfusclient.exe, 0000000B.00000000.1846812364.00000000002BF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1960260247.000000007BA10000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.1970950737.000000007CEE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt1.3.6.1.5.5.7.48.1http://ocsp.globalsi
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://t2.symcb.com0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://tl.symcd.com0&
                  Source: rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade.ini
                  Source: rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
                  Source: rfusclient.exe, 0000000B.00000003.1868603052.00000000030C5000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 0000000B.00000000.1846812364.0000000000ACB000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000003.1911558747.0000000004075000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000000.1875833345.00000000014B1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.1934761002.0000000004125000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1984877311.00000000036A5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000012.00000003.2031732620.0000000002665000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002DA5000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D75000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000015.00000003.2069190807.0000000002ED5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: rfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                  Source: rfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                  Source: rfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CF6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54CAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54D94000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: rfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: svchost.exe, 00000006.00000003.1763146344.0000023D54CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAE5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
                  Source: rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002D9E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002D9E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmp, unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000087D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2667377514.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2970502345.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
                  Source: rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/
                  Source: rppdui.dll0.2.drString found in binary or memory: https://www.rmansys.ruopen
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: https://www.thawte.com/cps0/
                  Source: unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drString found in binary or memory: https://www.thawte.com/repository0W
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BAJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41CJump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.0.rfusclient.exe.270000.0.unpack, type: UNPACKEDPEMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3DC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3DC2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47ca2c.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDF.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID096.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47ca2f.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47ca2f.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSICEDF.tmpJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3FCE880_2_00007FF69D3FCE88
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F1F200_2_00007FF69D3F1F20
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3D5E240_2_00007FF69D3D5E24
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3DF9300_2_00007FF69D3DF930
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E49280_2_00007FF69D3E4928
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4007540_2_00007FF69D400754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3FB1900_2_00007FF69D3FB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F34840_2_00007FF69D3F3484
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EA4AC0_2_00007FF69D3EA4AC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EAF180_2_00007FF69D3EAF18
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F2D580_2_00007FF69D3F2D58
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4007540_2_00007FF69D400754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F8DF40_2_00007FF69D3F8DF4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4120800_2_00007FF69D412080
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D40FA940_2_00007FF69D40FA94
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3D1AA40_2_00007FF69D3D1AA4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F2AB00_2_00007FF69D3F2AB0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E1A480_2_00007FF69D3E1A48
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D415AF80_2_00007FF69D415AF8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4089A00_2_00007FF69D4089A0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F39640_2_00007FF69D3F3964
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EC96C0_2_00007FF69D3EC96C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EBB900_2_00007FF69D3EBB90
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F4B980_2_00007FF69D3F4B98
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E5B600_2_00007FF69D3E5B60
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D408C1C0_2_00007FF69D408C1C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3D76C00_2_00007FF69D3D76C0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4125500_2_00007FF69D412550
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3D48400_2_00007FF69D3D4840
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D40C8380_2_00007FF69D40C838
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3D72880_2_00007FF69D3D7288
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E126C0_2_00007FF69D3E126C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3DA3100_2_00007FF69D3DA310
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3DC2F00_2_00007FF69D3DC2F0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EF1800_2_00007FF69D3EF180
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F21D00_2_00007FF69D3F21D0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EB5340_2_00007FF69D3EB534
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F53F00_2_00007FF69D3F53F0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_600EDC0011_2_600EDC00
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_600F580011_2_600F5800
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_600ED62011_2_600ED620
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_601AE26011_2_601AE260
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_6018708011_2_60187080
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_600F5AE011_2_600F5AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_5FDF685011_2_5FDF6850
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_600ECBD011_2_600ECBD0
                  Source: unires_vpd.dll.2.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: rutserv.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: rfusclient.exe.2.drStatic PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
                  Source: rfusclient.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: unidrvui_rppd.dll0.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: unires_vpd.dll0.2.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: libasset32.dll.2.drStatic PE information: Number of sections : 19 > 10
                  Source: rutserv.exe.2.drStatic PE information: Number of sections : 11 > 10
                  Source: rfusclient.exe.2.drStatic PE information: Number of sections : 11 > 10
                  Source: libcodec32.dll.2.drStatic PE information: Number of sections : 20 > 10
                  Source: unires_vpd.dll0.2.drStatic PE information: No import functions for PE file found
                  Source: unires_vpd.dll.2.drStatic PE information: No import functions for PE file found
                  Source: 442.docx.exe, 00000000.00000003.1727557308.000001AFCCF3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinWord.exeB vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAFFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.1715219165.000001AFCAF97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 11.0.rfusclient.exe.270000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: unires_vpd.dll0.2.drStatic PE information: Section .rsrc
                  Source: unires_vpd.dll.2.drStatic PE information: Section .rsrc
                  Source: classification engineClassification label: mal92.troj.evad.winEXE@28/322@1/5
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3DB6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF69D3DB6D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3F8624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF69D3F8624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - HostJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\OfficeJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: NULL
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d20
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1dfc
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1d88
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$16e0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1e28
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1560
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$17e8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$d28
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\HookTThread$17e8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d88
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e28
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$d44
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF6C1ED0AC54C79EE8.TMPJump to behavior
                  Source: 442.docx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rfusclient.exeString found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
                  Source: rfusclient.exeString found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Users\user\Desktop\442.docx.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DC073261611BDBF652B83E82DB7E8329
                  Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DC073261611BDBF652B83E82DB7E8329Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptsp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rsaenh.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: gpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptnet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winnsi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: webio.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rasadhlp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: textshaping.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dataexchange.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: d3d11.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dcomp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dxgi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\Desktop\442.docx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Doc.LNK.3.drLNK file: ..\..\..\..\..\..\..\intel\Doc.docx
                  Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.iniJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                  Source: 442.docx.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 442.docx.exeStatic file information: File size 25141051 > 1048576
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\Malizia\src\vpd\setup\Release\setup.pdb source: setupdrv.exe.2.dr
                  Source: Binary string: C:\Users\Malizia\src\vpd\setup\Release\setup.pdb## source: setupdrv.exe.2.dr
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe
                  Source: Binary string: unidrv.pdb source: unidrv_rppd.dll.2.dr
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 11.2.rfusclient.exe.270000.0.unpack
                  Source: C:\Users\user\Desktop\442.docx.exeFile created: C:\intel\__tmp_rar_sfx_access_check_4702593Jump to behavior
                  Source: 442.docx.exeStatic PE information: section name: .didat
                  Source: 442.docx.exeStatic PE information: section name: _RDATA
                  Source: webmvorbisencoder.dll.2.drStatic PE information: section name: _RDATA
                  Source: vp8encoder.dll.2.drStatic PE information: section name: .rodata
                  Source: vp8decoder.dll.2.drStatic PE information: section name: .rodata
                  Source: webmvorbisdecoder.dll.2.drStatic PE information: section name: _RDATA
                  Source: libasset32.dll.2.drStatic PE information: section name: /4
                  Source: libasset32.dll.2.drStatic PE information: section name: /14
                  Source: libasset32.dll.2.drStatic PE information: section name: /29
                  Source: libasset32.dll.2.drStatic PE information: section name: /41
                  Source: libasset32.dll.2.drStatic PE information: section name: /55
                  Source: libasset32.dll.2.drStatic PE information: section name: /67
                  Source: libasset32.dll.2.drStatic PE information: section name: /78
                  Source: libasset32.dll.2.drStatic PE information: section name: /94
                  Source: libasset32.dll.2.drStatic PE information: section name: /110
                  Source: libcodec32.dll.2.drStatic PE information: section name: .rodata
                  Source: libcodec32.dll.2.drStatic PE information: section name: /4
                  Source: libcodec32.dll.2.drStatic PE information: section name: /14
                  Source: libcodec32.dll.2.drStatic PE information: section name: /29
                  Source: libcodec32.dll.2.drStatic PE information: section name: /41
                  Source: libcodec32.dll.2.drStatic PE information: section name: /55
                  Source: libcodec32.dll.2.drStatic PE information: section name: /67
                  Source: libcodec32.dll.2.drStatic PE information: section name: /78
                  Source: libcodec32.dll.2.drStatic PE information: section name: /94
                  Source: libcodec32.dll.2.drStatic PE information: section name: /110
                  Source: eventmsg.dll.2.drStatic PE information: section name: .didata
                  Source: vccorlib120.dll.2.drStatic PE information: section name: minATL
                  Source: rutserv.exe.2.drStatic PE information: section name: .didata
                  Source: rfusclient.exe.2.drStatic PE information: section name: .didata
                  Source: vccorlib120.dll0.2.drStatic PE information: section name: minATL
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D415166 push rsi; retf 0_2_00007FF69D415167
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D415156 push rsi; retf 0_2_00007FF69D415157
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 11_2_60107E30 push eax; mov dword ptr [esp], esi11_2_60107ED1
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeCode function: 17_2_00FBC34B push ebx; ret 17_2_00FBC354
                  Source: msvcr120.dll.2.drStatic PE information: section name: .text entropy: 6.95576372950548
                  Source: VPDAgent.exe.2.drStatic PE information: section name: .text entropy: 6.812931691200469
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDF.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDF.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: docx.exeStatic PE information: 442.docx.exe
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer SecurityJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: rutserv.exe, 0000000C.00000000.1875833345.00000000014B1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000C.00000002.1919077774.00000000024F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.1999583540.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 00000010.00000002.1999583540.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEP
                  Source: rutserv.exe, 0000000C.00000002.1919077774.00000000024F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.1999583540.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEE
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 492
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 1227
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 4537
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeWindow / User API: threadDelayed 6694
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeWindow / User API: threadDelayed 2811
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICEDF.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-6249
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeAPI coverage: 5.8 %
                  Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2028Thread sleep count: 492 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2028Thread sleep time: -492000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 4108Thread sleep time: -50000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7580Thread sleep time: -300000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7564Thread sleep count: 1227 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5328Thread sleep time: -60000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2668Thread sleep time: -90000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 6880Thread sleep count: 42 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2028Thread sleep count: 4537 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2028Thread sleep time: -4537000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 2196Thread sleep time: -3347000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 2196Thread sleep time: -1405500s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3E40BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3FB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3FB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D40FCA0 FindFirstFileExA,0_2_00007FF69D40FCA0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4016A4 VirtualQuery,GetSystemInfo,0_2_00007FF69D4016A4
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 50000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: 442.docx.exe, 00000000.00000003.1727756597.000001AFC6FBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                  Source: rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(w
                  Source: svchost.exe, 00000006.00000002.2975279401.0000023D4F82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2989333692.0000023D54E57000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2668508292.0000000007F16000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2964235686.000000000084D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: rfusclient.exe, 0000000B.00000002.1870466441.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2972217825.000000000131C000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2972130045.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 00000015.00000002.2078037084.00000000013ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4076D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF69D4076D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D410D20 GetProcessHeap,0_2_00007FF69D410D20
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D4076D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF69D4076D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D403170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF69D403170
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D402510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF69D402510
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D403354 SetUnhandledExceptionFilter,0_2_00007FF69D403354
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3FB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D3FB190
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: rfusclient.exe, 0000000B.00000000.1846812364.00000000002BF000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3EDC70 cpuid 0_2_00007FF69D3EDC70
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF69D3FA2CC
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D400754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF69D400754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF69D3E4EB0 GetVersionExW,0_2_00007FF69D3E4EB0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: rutserv.exe, 0000000C.00000000.1875833345.00000000014B1000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 0000000C.00000002.1919077774.00000000024F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.1999583540.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD BlobJump to behavior
                  Source: Yara matchFile source: 11.0.rfusclient.exe.270000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2977786114.0000000002E4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2990838666.0000000004A84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.2974268243.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rfusclient.exe PID: 7456, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 7676, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 6120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rfusclient.exe PID: 7560, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rfusclient.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		2
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  DLL Side-Loading                  		13
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Extra Window Memory Injection                  		12
                  Software Packing                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS67
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  File Deletion                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Extra Window Memory Injection                  		Cached Domain Credentials251
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                  Masquerading                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc Filesystem131
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567328 Sample: 442.docx.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 92 49 windowsupdatebg.s.llnwi.net 2->49 51 main.internetid.ru 2->51 53 id72.internetid.ru 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Detected unpacking (overwrites its own PE header) 2->67 69 4 other signatures 2->69 8 msiexec.exe 95 95 2->8         started        11 rutserv.exe 2->11         started        15 442.docx.exe 7 5 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 41 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 8->41 dropped 43 server_start_C0086...8A26292A601EBE2.exe, PE32 8->43 dropped 45 server_config_C8E9...5F92E4E3AE550F0.exe, PE32 8->45 dropped 47 41 other files (10 malicious) 8->47 dropped 19 rutserv.exe 8->19         started        22 rutserv.exe 8->22         started        24 rfusclient.exe 8->24         started        36 2 other processes 8->36 55 111.90.147.125, 465, 49806, 49807 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 11->55 57 78.138.9.142, 49810, 49811, 49837 SKYVISIONGB United Kingdom 11->57 61 2 other IPs or domains 11->61 77 Query firmware table information (likely to detect VMs) 11->77 26 rfusclient.exe 11->26         started        28 rutserv.exe 11->28         started        30 rfusclient.exe 11->30         started        32 WINWORD.EXE 139 440 15->32         started        34 msiexec.exe 15->34         started        59 127.0.0.1 unknown unknown 17->59 file6 signatures7 process8 signatures9 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->71 73 Query firmware table information (likely to detect VMs) 26->73 38 rfusclient.exe 26->38         started        process10 signatures11 75 Query firmware table information (likely to detect VMs) 38->75

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll4%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll8%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe13%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe12%ReversingLabsWin32.Trojan.Generic
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll0%ReversingLabs
                  C:\Windows\Installer\MSICEDF.tmp0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://rmansys.ru/nsys.ru/pfj0%Avira URL Cloudsafe
                  http://rmansys.ru///rmansys.ru/l0%Avira URL Cloudsafe
                  http://rmansys.ru/rd0%Avira URL Cloudsafe
                  http://cacerts.div0%Avira URL Cloudsafe
                  https://www.rmansys.ruopen0%Avira URL Cloudsafe
                  http://rmansys.ru/pfj0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/eb-help/D0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/eb-help/t0%Avira URL Cloudsafe
                  https://rmansys.ru/remote-access//rmansys.ru/remote-access/O0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		high
                    main.internetid.ru
                    		95.213.205.83
                    		truefalse
                      		unknown
                      prod.globalsign.map.fastly.net
                      		151.101.2.133
                      		truefalse
                        		high
                        windowsupdatebg.s.llnwi.net
                        		178.79.238.128
                        		truefalse
                          		high
                          id72.internetid.ru
                          		unknown
                          		unknownfalse
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://rmansys.ru/nsys.ru/pfjrutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.remoteutilities.com/support/docs/installing-and-uninstalling/rfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.rmansys.ruopenrppdui.dll0.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://rmansys.ru///rmansys.ru/rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://curl.se/docs/http-cookies.htmlrfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpfalse
                                  		high
                                  http://update.tektonit.ru/upgrade.inirutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmpfalse
                                    		high
                                    http://update.tektonit.ru/upgrade_beta.inirutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmpfalse
                                      		high
                                      http://madExcept.comUrfusclient.exe, 0000000B.00000000.1846812364.00000000002BF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1960260247.000000007BA10000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.1970950737.000000007CEE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://rmansys.ru///rmansys.ru/lrfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/envelope/rfusclient.exe, 0000000B.00000000.1846812364.00000000002BF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1875833345.0000000000AB1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1960260247.000000007BA10000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.1970950737.000000007CEE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://rmansys.ru/rdrutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://rmansys.ru/web-help/eb-help/rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 00000006.00000002.2988687852.0000023D54E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.1763146344.0000023D54D43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54D94000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://rmansys.ru/pfrfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.indyproject.org/rfusclient.exe, 0000000B.00000003.1868603052.00000000030C5000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 0000000B.00000000.1846812364.0000000000ACB000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000003.1911558747.0000000004075000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000000.1875833345.00000000014B1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.1934761002.0000000004125000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1984877311.00000000036A5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000012.00000003.2031732620.0000000002665000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002DA5000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D75000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000015.00000003.2069190807.0000000002ED5000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://curl.se/docs/alt-svc.htmlrfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                      		high
                                                      http://www.symauth.com/cps0(442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://rmansys.ru/internet-id/rfusclient.exe, 00000014.00000002.2990838666.0000000004A0A000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.00000000049F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://rmansys.ru/web-help/eb-help/Drutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://curl.se/docs/hsts.htmlrfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                            		high
                                                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000006.00000003.1763146344.0000023D54CF6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1763146344.0000023D54CAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://gcc.gnu.org/bugsrg/bugs/):rfusclient.exe, 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                		high
                                                                https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.thawte.com/cps0/unidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drfalse
                                                                      		high
                                                                      http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtdrfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                        		high
                                                                        http://www.symauth.com/rpa00442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://rmansys.ru/remote-access//rmansys.ru/remote-access/rutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002D9E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://rmansys.ru/remote-access//rmansys.ru/remote-access/Orutserv.exe, 00000011.00000002.2988939881.00000000025EE000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2974268243.0000000002D9E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.thawte.com/repository0Wunidrv_rppd.dll.2.dr, rppdui.dll0.2.dr, setupdrv.exe.2.drfalse
                                                                              		high
                                                                              http://rmansys.ru/rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://rmansys.ru/remote-access/rfusclient.exe, 00000014.00000002.2977786114.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://rmansys.ru/web-help/eb-help/trfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://cacerts.divrutserv.exe, 00000011.00000002.2964235686.000000000088E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://rmansys.ru/nsys.ru/pfrfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://rmansys.ru/pfjrutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.flexerasoftware.com0442.docx.exe, 00000000.00000003.1715219165.000001AFCAF2F000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1715219165.000001AFCAEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST442.docx.exe, 00000000.00000003.1715219165.000001AFCAE5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.inkscape.org/namespaces/inkscaperfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                          		high
                                                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000006.00000003.1763146344.0000023D54D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.remoteutilities.com/buy/money-back-guarantee.phprfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.remoteutilities.com/about/privacy-policy.phprfusclient.exe, 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://rmansys.ru///rmansys.ru/;rutserv.exe, 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://rmansys.ru/web-help/rfusclient.exe, 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000013.00000002.2988479504.0000000004A36000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    77.223.124.212
                                                                                                    		unknownRussian Federation
                                                                                                    		51604EKAT-ASRUfalse
                                                                                                    111.90.147.125
                                                                                                    		unknownMalaysia
                                                                                                    		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                                                                                    78.138.9.142
                                                                                                    		unknownUnited Kingdom
                                                                                                    		8513SKYVISIONGBfalse
                                                                                                    95.213.205.83
                                                                                                    		main.internetid.ruRussian Federation
                                                                                                    		50340SELECTEL-MSKRUfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1567328
                                                                                                    Start date and time:2024-12-03 12:34:51 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 9m 50s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:23
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:442.docx.exe
                                                                                                    renamed because original name is a hash value
                                                                                                    Original Sample Name: .docx.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal92.troj.evad.winEXE@28/322@1/5
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 83.3%
                                                                                                    HCA Information:Failed
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.76.243, 2.19.229.151, 52.113.194.132, 199.232.214.172, 52.111.252.18, 52.111.252.17, 52.111.252.15, 52.111.252.16, 52.168.117.174, 2.21.69.99, 2.21.69.90, 2.18.64.211, 2.18.64.220, 151.101.2.133, 151.101.194.133
                                                                                                    • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.globalsign.com, neu-azsc-000.roaming.officeapps.live.com, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • VT rate limit hit for: 442.docx.exe

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    06:35:50API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                    06:36:10API Interceptor353737x Sleep call for process: rutserv.exe modified
                                                                                                    06:36:17API Interceptor183200x Sleep call for process: rfusclient.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    95.213.205.83ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                                      winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                        winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          main.internetid.ruhttps://bitbucket.org/ziphose/obmen/downloads/Doc.7zGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          • 95.213.205.83
                                                                                                          ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                                          • 95.213.205.83
                                                                                                          winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                          • 95.213.205.83
                                                                                                          winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                          • 95.213.205.83
                                                                                                          3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          • 95.213.205.83
                                                                                                          prod.globalsign.map.fastly.nethttps://bitbucket.org/ziphose/obmen/downloads/Doc.7zGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          • 151.101.66.133
                                                                                                          https://e.letscompress.online/update.txtGet hashmaliciousUnknownBrowse
                                                                                                          • 151.101.130.133
                                                                                                          http://propdfhub.comGet hashmaliciousUnknownBrowse
                                                                                                          • 151.101.130.133
                                                                                                          Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                          • 151.101.194.133
                                                                                                          goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          • 151.101.194.133
                                                                                                          goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                          • 151.101.66.133
                                                                                                          https://www.pdfriend.com/pdfconverter?gad_source=5&gclid=EAIaIQobChMIwqGhsbi9iAMVO6uOCB1oKCEPEAEYASAAEgJbhfD_BwEGet hashmaliciousUnknownBrowse
                                                                                                          • 151.101.2.133
                                                                                                          http://ak43423ce23ks.com/qnbfinans/Get hashmaliciousUnknownBrowse
                                                                                                          • 151.101.2.133
                                                                                                          bg.microsoft.map.fastly.net27112024_0154_new.batGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.210.172
                                                                                                          I_ katya_gianotti@cuzziol_it password scadr#U00e0 oggi!.msgGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.214.172
                                                                                                          attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                          • 199.232.214.172
                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.214.172
                                                                                                          Quarantined Messages-9.zipGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.210.172
                                                                                                          1L8qjfD9J2.exeGet hashmaliciousNjratBrowse
                                                                                                          • 199.232.210.172
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 199.232.214.172
                                                                                                          INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.214.172
                                                                                                          windowsupdatebg.s.llnwi.netAccount Review Desk - Help us keep your VAT account accurate.msgGet hashmaliciousCredentialStealerBrowse
                                                                                                          • 178.79.238.0
                                                                                                          NF---710.msiGet hashmaliciousAteraAgentBrowse
                                                                                                          • 178.79.238.128
                                                                                                          REMITTANCE_PAYMENT54342Saic.htmlGet hashmaliciousPhisherBrowse
                                                                                                          • 178.79.238.0
                                                                                                          Compilazione di video e immagini protetti da copyright.batGet hashmaliciousUnknownBrowse
                                                                                                          • 178.79.238.128
                                                                                                          http://esaleerugs.comGet hashmaliciousUnknownBrowse
                                                                                                          • 178.79.238.0
                                                                                                          KAHILINGAN NG BADYET 25-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                          • 178.79.238.128
                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                          • 178.79.238.0
                                                                                                          0Nj1sxmCtr.exeGet hashmaliciousBinder HackTool, QuasarBrowse
                                                                                                          • 178.79.238.128
                                                                                                          registration.msiGet hashmaliciousAteraAgentBrowse
                                                                                                          • 178.79.238.128
                                                                                                          Digital.msiGet hashmaliciousAteraAgentBrowse
                                                                                                          • 178.79.238.0

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          SKYVISIONGBla.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 83.229.59.112
                                                                                                          https://www.google.ml/url?fvg=1YI3fC8whlGPBCiMyiuQ&bhtBf=8EQhXbuMThqowIo0zyCX&sa=t&ndg=afydNw3nDHf9A6uq2MCH&url=amp%2Fiestpcanipaco.edu.pe%2F.r%2Fu1kOgE-SURELILYYWRhcnNoLm1hbGhvdHJhQGphdG8uY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                          • 78.138.9.37
                                                                                                          arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 217.194.146.92
                                                                                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.194.158.58
                                                                                                          shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                          • 83.229.19.82
                                                                                                          https://bread.nfpt.adfixagency.co.in/Get hashmaliciousUnknownBrowse
                                                                                                          • 78.138.9.37
                                                                                                          https://bread1.nfpt.adfixagency.co.in/landingv2Get hashmaliciousUnknownBrowse
                                                                                                          • 78.138.9.37
                                                                                                          https://www.google.com/url?q=https://www.google.com/url?q%3DIrfT8NMLx6QPaJgv6Z3g%26rct%3DqsUbQmXhZ93d4gNXIWaR%26sa%3Dt%26esrc%3DEgJeLX8CAl11DNSW7pgH%26source%3D%26cd%3D9X3EYbyCMUoB46Jqpszn%26cad%3Dz64Ndl7J844jI5EH33et%26ved%3D36LRX1krI3rPMEZVSMU2%26uact%3D%2520%26url%3Damp%252Fsantanderconcepts%252Ecom%252F.lamb%252F&source=gmail&ust=1725986149001000&usg=AOvVaw1kdi6SPX1NGpGYFWhG_1Z7#NQvlKnUGFE-SURENICObWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 78.138.9.37
                                                                                                          EKAT-ASRUloligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 5.165.233.70
                                                                                                          sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 5.166.34.53
                                                                                                          bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 85.115.185.36
                                                                                                          SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 77.223.100.3
                                                                                                          SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 77.223.100.3
                                                                                                          la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 5.166.34.83
                                                                                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 85.115.161.24
                                                                                                          na.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 5.166.34.78
                                                                                                          SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 109.195.98.211
                                                                                                          SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYVendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                          • 101.99.75.104
                                                                                                          http://amz-account-unlock-dashboard4.duckdns.orgGet hashmaliciousUnknownBrowse
                                                                                                          • 111.90.149.151
                                                                                                          https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                                          • 111.90.141.53
                                                                                                          Ssc Executed Docs#962297(Revised).docxGet hashmaliciousUnknownBrowse
                                                                                                          • 111.90.146.230
                                                                                                          amen.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 101.99.125.192
                                                                                                          botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 124.217.225.17
                                                                                                          0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 111.90.140.76
                                                                                                          0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 111.90.140.76

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exehttps://bitbucket.org/ziphose/obmen/downloads/Doc.7zGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                            J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                              J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                  SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                    044f.pdf.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                      3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                        3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Config.Msi\47ca2e.rbs

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):33259
                                                                                                                          Entropy (8bit):5.2895321560864055
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:R5t4t4t+ZXTWBwp1KwUXciM01HuECHgCg4gcgblFlVY3TY3s8:gCBwpswUXceHuECHgCg4gcgblFla3U3j
                                                                                                                          MD5:EA3730922A773588C23F2B765BC0B87A
                                                                                                                          SHA1:7B8785FF2456AB066019D40DFFF074C9EB6D3CD6
                                                                                                                          SHA-256:6E8B7A4EEA5EA60688FC5F80739E494C66067694EAB549F8BA43D4B1D611066F
                                                                                                                          SHA-512:356F711421E5D11488A75E50B0BA4D860C7F81F5B6DDCC0A3708D9F795A9C38F98F8E8BDBC177C4AE2E67AA6B789C55C48A3135412E344E59BFC5A5A91420F59
                                                                                                                          Malicious:false
                                                                                                                          Preview:...@IXOS.@.....@y4.Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.].....ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2...&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{3244CD

                                                                                                                          C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):118
                                                                                                                          Entropy (8bit):3.5700810731231707
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                                          MD5:573220372DA4ED487441611079B623CD
                                                                                                                          SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                                          SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                                          SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                                          Malicious:false
                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1251, default middle east language ID 1025
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):140524
                                                                                                                          Entropy (8bit):4.705761523836363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:wu3K4JDvJNJt2cGTXxl5loUWDTEhkClEgoKt9ai1IYdO5NVSUeDfydxqXJe2JNC0:wu93dN2OqrYZlKhIiSEGQ4wL
                                                                                                                          MD5:65B04B706AC06E31210F4FFB1E92994E
                                                                                                                          SHA1:B005637B3DE903CBD7960637D77FF993897C5A63
                                                                                                                          SHA-256:E9ACC22A02BC2148AE07EC7CBE741E6E1CBC90DE3856AAE8F32A31FB5C338566
                                                                                                                          SHA-512:5B708D069434A384738EFD5F4621F257FC79A7F5A32D8AE9C1D29E21EFE1EEB2C393EC67DA39714C0C73F2217B68091EE7196C72331838A0A7ECA872FAF09A09
                                                                                                                          Malicious:false
                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fbidi \fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 0204

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15680
                                                                                                                          Entropy (8bit):6.579534230870796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:XxgSABvdm4Yy3EA39QKoEp0Fm7qFAmL8x2fLWwsU7K6CYv7+C:Xx0FmW3Ea1KmexmMK6jr
                                                                                                                          MD5:C2F009D6317D1BA4E722938A1408478A
                                                                                                                          SHA1:66D702BC9FA98D1E7FE9BBC16AFF9AE711019E9B
                                                                                                                          SHA-256:6A8D4FB6F90B53D986B2AC6BF3BFCC56D6A54A2E8AF5670129566F5D344ED0FA
                                                                                                                          SHA-512:4D8060EC77EB9B95B57BC20AF2685064FA1E1FCC9403EFE95572C37D72ACD39B8005831EA0BAE95C365E945E50962B7FE1BFD964C5776D3E99CE5E474F726BFE
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                          • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                                          • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                                          • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                                          • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                                          • Filename: 044f.pdf.scr, Detection: malicious, Browse
                                                                                                                          • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                                          • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.j.]Oj.]Oj.]Og..Oh.]Og..Oh.]Og..Oy.]Og..Oh.]Oc..Oc.]Oj.\OY.]O..Ok.]Og..Ok.]O..Ok.]ORichj.]O........................PE..L......S..................................... ....@..........................`.......J....@.................................."..x....@..................@....P..|....!..8............................!..@............ ...............................text...2........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..|....P......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2673984
                                                                                                                          Entropy (8bit):6.865614554810881
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:BE8JxHX5r9sDQl7wDSMSFxvQ/qpyr0k0ha5XLDaDMPNw2x8pWTUKA76AeF8:BE8XHX5riUl7wDP6vQ/qpyr0kR5XLWDB
                                                                                                                          MD5:10CD2135C0C5D9D3E5A0A5B679F2FAAE
                                                                                                                          SHA1:A0617D8C6876F98B9A1819A71F2A56B965C1C75D
                                                                                                                          SHA-256:D7A97387505CA740AC88E85CAC3AA3CA73C666CC3BFD977C7E40B1D9D6CA6C12
                                                                                                                          SHA-512:6A1F81127FF26DCC235D7CE454E69F9A3784AC54BBC8486CB5022AAC47C2FB6003641A0F8AAFDD3B89812FE3C1C90569AD73C1C135687C042CE92C5DD2FFBDD8
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zz..zz..zz.M...zz.+...zz.+...zz.+...zz.+...zz.f...zz..zz..zz.f..Oxz..z{..{z......zz.f...zz..(...zz..z...zz.f...zz.Rich.zz.........PE..L...h3.\............................5u............@.......................... ).......(...@.................................<.&.......'.H.............(.@.....'..n..................................0:&.@............................................text...5........................... ..`.rdata..............................@..@.data...<.....&..d....&.............@....rsrc...H.....'......8'.............@..@.reloc...n....'..p...>'.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1110848
                                                                                                                          Entropy (8bit):6.491478844569486
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:TqSQS800orApz53PI2GVqH7kpf/V57GGcP6T5m+moXafzb:tQSX0oAtkpf/bfcyTTmoozb
                                                                                                                          MD5:AB3E77FC94445A18C9376F98CE10102F
                                                                                                                          SHA1:9424736FB3DB517C5584A14A482F84D81A671F8D
                                                                                                                          SHA-256:EEE325D9AC6A7B24B8ED3742110BD042803D6DA065F2E51153151E69D51CE4A3
                                                                                                                          SHA-512:454115C621434E98D39AEC605FCEB349C7AFB938B3E822F5950EE60E54FBFCB5CDBFE750015FE947C07FB991B4E966E535640343294D885ED2661353D3FD6EC9
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........[.:..:..:....l.:....n.7:....o.:..d..:..d...:..d..:..u.V.:..?d...:..?d..:..?d..:..:..T:..?d..:..?d..:..:db.:..?d..:..Rich.:..........................PE..L......\...........!......................................................................@.............................|....&..d.......................@........l......p...............................@............................................text............................... ..`.rdata..p;.......<..................@..@.data...H;...@...*..................@....gfids..$............X..............@..@.rsrc................d..............@..@.reloc...l.......n...f..............@..B........................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22848
                                                                                                                          Entropy (8bit):6.464002114523214
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:2+b57Gk7g+iy21oCiDuK9jkrtpgjKMpFmexmMK6j8qF2:7/210DuVrtsKM3ZxBKghF2
                                                                                                                          MD5:2DE35EAAE57A6BAA02D9E8ED0661F042
                                                                                                                          SHA1:82D14A58D5188F5B7606365BE0E3F968A8E81E93
                                                                                                                          SHA-256:BB43036D202D3DBD765A12D1C4C243E7AB8328FFC1941AEA838D8B1553700E64
                                                                                                                          SHA-512:02F1D530C1469431A94074A057FCE3FE60735D3B15DD767E8F39F29B702B98B061954063D83D5FA426D7684CC86359E87424F0CC54FFB0AC3F388AA7E48D6DE0
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9Gf.}&.I}&.I}&.I;w.I|&.I;w.In&.I;w.Iy&.I;w.Iy&.It^.Ix&.I}&.I?&.I..I|&.Ipt.I|&.I}&.I|&.I..I|&.IRich}&.I................PE..L...k3.\.....................8......e".......0....@.......................................@.................................49..d....`..@............:..@....p......@1..8............................5..@............0...............................text...k........................... ..`.rdata..:....0......................@..@.data........@......................@....rsrc...@....`.......0..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4005696
                                                                                                                          Entropy (8bit):6.809616089473951
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:lbR+lDT6t58JcKdTG57M06POn9rvBAUZLM8FAK:FR+lDOt5kgFvVwmd
                                                                                                                          MD5:2C5987EA1E87A5C073B780F8102AE09C
                                                                                                                          SHA1:78DAA99D8C59A4A2E0D3B59E5427F854D8613080
                                                                                                                          SHA-256:22AC34380064C0FFEE59AD892CA4695E94EE8F97B78C18565251295817A784FE
                                                                                                                          SHA-512:7D6432960C5F3BEC27B13D06D4126C91A1DD7DD702DE97F1001855D8572BE68D6526F419BB58F5E5238E8E8F81C801BDAD8F351EF0AE75564835146F3DD3434D
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.............3.......3.......3.............................fP8.............,......,.......,...Z...,.......).......,.......Rich....................PE..L......\...........!.....b"..0................"...............................=.....3.=...@.........................pA:......p:.d.....;...............=.@.....;.$.....6.p.....................6.....p.6.@.............".d............................text...9a"......b"................. ..`.rdata..(....."......f".............@..@.data.........:..j...f:.............@....gfids........;.......:.............@..@.tls..........;.......:.............@....rsrc.........;.......:.............@..@.reloc..$.....;.. ....:.............@..B................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10134
                                                                                                                          Entropy (8bit):5.364629779133003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                          MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                          SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                          SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                          SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                          Malicious:false
                                                                                                                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):39744
                                                                                                                          Entropy (8bit):6.36744082696392
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:TkzqOI138e1y6JMKxTrAogoAoaP7+qFXYiLxjdQzUQ9LSk3E0gTSsn2TkhI3K0Jn:TLqokSaddQzUNk3EXSsn2Tk4ZZxBKgfP
                                                                                                                          MD5:9ED8BAA9DEC76C6AFAFC1C71193A0AE8
                                                                                                                          SHA1:843727F195BF194CFF3736B80FB5249713F1E116
                                                                                                                          SHA-256:CD2C60402D46C339147ADDF110C904F78A783F23106CCAD147EFA156175D66DE
                                                                                                                          SHA-512:40D85540176AB0170B7341D6A8A808FD351B35C6444D468E7707B35D2B2E8F3322DBF0BF31E0578E3A12E1A62B310DD7983B7EFB0F2C72D0C4104AEB0BBCEFF9
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............b..b..b..3...b..3+..b..3*..b..3...b.Z....b...X..b..b..b.Z....b..0...b..b\..b.Z....b.Rich.b.................PE..L....3.\.................D...8.......I.......`....@.......................................@..................................s.......................|..@............b..8............................j..@............`...............................text....C.......D.................. ..`.rdata.......`... ...H..............@..@.data................h..............@....rsrc................l..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):179520
                                                                                                                          Entropy (8bit):5.239011393842513
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:+vQrKBVxKfGkHM5ZZ+HHJOWfuXO8zIJ1k9XHX8t0wk7UAjKQpmErUaDO3nG:3kjiTGD+JOWGT00XHXo0w+mErBO3G
                                                                                                                          MD5:FF197487BFE7E9D3396E0793B83811ED
                                                                                                                          SHA1:D92CA066B79DF28BF22BB051AEDFE10E4FA4A2A6
                                                                                                                          SHA-256:E6D0CA844514FDD105772E72C7C30D47099112AB68A4A5F9E4A2B28C0372A05A
                                                                                                                          SHA-512:33A13B0EE7E3DD038B35B5E4220278016397D003DCEECA56C3EE264608E053940AAFC09AE582C0FD67DFA919F38265883269F6C1A93E5BB9047B97F4A51CACCE
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z............X.1....X......X.3....X........m......}....D3.........D.......5......y....D0....Rich...........................PE..L....3.\.................\..........8........p....@..........................0......T.....@.................................,5.......`..V...............@....... ....z..8...........................(...@............0..,............................text....[.......\.................. ..`.rdata...D...p...F...`..............@..@.data....l..........................@....idata...$...0...&..................@..@.rsrc...V....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):98650
                                                                                                                          Entropy (8bit):4.192473934109759
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                          MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                          SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                          SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                          SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):53056
                                                                                                                          Entropy (8bit):6.556803642202102
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:AqfYixknAt1kJSwlxeZQHPFtuEK+XLxSzELK4ZHZxBKgCu:8ixknqaxxeZ09tVr7xkyZ5ncu
                                                                                                                          MD5:A7A19BFD82EEAE7D4DC00144F3B949F4
                                                                                                                          SHA1:FBD6EF10A7D519386CB32B093AE7E42852BAECBD
                                                                                                                          SHA-256:A32A93B71A5628EDFC19FD31D26AC60DAF364E89CFDA2C82071718814042BE55
                                                                                                                          SHA-512:5AC0F6A0FDAAB8B832B0021948101ABD1C8AF8B79E0C02D60770DF22D945D669AE7D588BD3264F9991E11CBAB01A445AAC9B594B47171C68A6A7BDC3FBB8D962
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3..3..3..uO..1..uO.. ..uO,.7..uO..6..3..S..:fb.4.....1..>L*.2..3.f.2.../.2..Rich3..........................PE..L...j3.\.................v...:......Ez............@.................................Ul....@.................................t...x.......@...............@...............8..............................@...............|............................text....u.......v.................. ..`.rdata... ......."...z..............@..@.data...............................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2772288
                                                                                                                          Entropy (8bit):6.917291195041145
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:UuZqJvz7GHYFVw8vfMVDpaLGtH3uSvQ/qpyr0kiU6HoCPLG5gzyUxChRebU:UuZqJvz7GHGVfvfMVDNNxvQ/qpyr0kpj
                                                                                                                          MD5:9FD469846E628F44A4147743875FFBC0
                                                                                                                          SHA1:6065C496D7C2695F3678D945FFA3FEFFBCD83C53
                                                                                                                          SHA-256:129C2D91F085E54FD9E333C6F580A16907A1D9659D823D6C7CB25F5D3CE55CC8
                                                                                                                          SHA-512:5AF5DD95BE604E039337D153CED2B9D3FE33F2E05818E3A222FDD9F7B3381197CCF3CA39324F46CA95B81DF76624F0EF4A0CF045195640E58B9A233D092F43AB
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.&.1fH.1fH.1fH....8fH.w7..<fH.w7..<fH.w7..5fH.w7..6fH.8..$fH.1fI.^gH.1fH.&fH......dH......fH.....,fH.....0fH.<4..0fH.....0fH.Rich1fH.................PE..L...,..[...........!.........j......#......... ...............................*.....N.*...@.........................p.'..:..T.(.......)...............*.@.....).8|..0. .8............................8'.@............. .h............................text............................... ..`.rdata...-.... ....... .............@..@.data........@(..~...0(.............@....rsrc.........).......(.............@..@.reloc..8|....)..~....(.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2991424
                                                                                                                          Entropy (8bit):6.7900679594310915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:kz1BQT/9rrcXgJoHt3LhNSTuHo6E7hVNO8B/3LUvQ/qpyr0kRZTKjEKMUP9isAxI:kz1BI5U3lNS6Ho6E7vBRIvQ/qpyr0kuF
                                                                                                                          MD5:829DD10CD377386A2040897F5288DDB0
                                                                                                                          SHA1:A7B1C7A6C0E1C9641750E8150EE810530FB67DD0
                                                                                                                          SHA-256:5753F66DBC480901955DE247117F3C1E99777B1A610C90931E50C374F8B1D888
                                                                                                                          SHA-512:C6B915EBF7B1C023FBB2E06FB169857539253CFA2B5B5C770DF5A43896AF8A0C847796E3F82C6109778F11D7FE3976DA172E1E0E6EACCD1C82DBAEB80ADAB4F5
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............j...j...j..V.u..j...;m..j...;R..j...;o..j...;S..j....!..j..}.o..j...j...j..}.R.3h..}.S..j.._4...j...j..Ah..}.W..j..}.n..j...8i..j...j%..j..}.l..j..Rich.j..........................PE..L....3.\..................!...........!......."...@...........................-.....;.....@...........................+.+.....+.......,.@.............-.@.....,..C...................................w+.@............."..............................text...g.!.......!................. ..`.rdata..$.....".......".............@..@.data....~....,..N....+.............@....rsrc...@.....,......<,.............@..@.reloc...C....,..D...B,.............@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):660128
                                                                                                                          Entropy (8bit):6.339798513733826
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
                                                                                                                          MD5:46060C35F697281BC5E7337AEE3722B1
                                                                                                                          SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                                                                                                                          SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                                                                                                                          SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):963232
                                                                                                                          Entropy (8bit):6.634408584960502
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
                                                                                                                          MD5:9C861C079DD81762B6C54E37597B7712
                                                                                                                          SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                                                                                                                          SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                                                                                                                          SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Windows setup INFormation
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9698
                                                                                                                          Entropy (8bit):3.8395767056459316
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                                          MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                                          SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                                          SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                                          SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                                          Malicious:false
                                                                                                                          Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10134
                                                                                                                          Entropy (8bit):5.364629779133003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                          MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                          SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                          SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                          SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                          Malicious:false
                                                                                                                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):17415
                                                                                                                          Entropy (8bit):4.618177193109944
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                                          MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                                          SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                                          SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                                          SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                                          Malicious:false
                                                                                                                          Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41
                                                                                                                          Entropy (8bit):4.479503224130278
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                                          MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                                          SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                                          SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                                          SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                                          Malicious:false
                                                                                                                          Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):98650
                                                                                                                          Entropy (8bit):4.192473934109759
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                          MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                          SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                          SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                          SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):35648
                                                                                                                          Entropy (8bit):6.365966080243848
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:nE2YHORRn1SNBaiAL3X8jARHb2Os7fAK6ncZxBKg1xDo:E862HbPs7otEnzNo
                                                                                                                          MD5:68EA0EC529B7B9D3284D860F5ABD9BB4
                                                                                                                          SHA1:1A3951538D9E79F09792C8B118F010834A6C1273
                                                                                                                          SHA-256:EE963C5960F6687789004175C3DF0098331BEBBCE992BF9C73EF9EF6ED73C1E0
                                                                                                                          SHA-512:E62D2CFCA2433F4D647A5658141D63093D75491C60D1647F41FFDE74308BDF1A512DEBCC4A4535CE6FC9DE1ACB149D135D89366FE75FC9C52AA709C8887D7A28
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.....................i'......i1......i6.........z....i!.............i ......i;..............i&......i#.....Rich............PE..d....4.\.........." .....V..........|P....................................................@..........................................d..W....[..................`....l..@........... ................................................................................text...'U.......V.................. ..`.data...4....p.......Z..............@....pdata..`............b..............@..@.rsrc................f..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):204096
                                                                                                                          Entropy (8bit):5.820956822859452
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:co2/UxSJBXgK5IsZsYMNV7jWCQQD9KdtvB1WOAahmRF:co284/XgGfbuYAKdf1WOAaO
                                                                                                                          MD5:126C2BCC9112266CE33F9835A1E44B9C
                                                                                                                          SHA1:B16C0D19797C7A0CC665BC8346ECF453234A83A4
                                                                                                                          SHA-256:2736C2919966D17F27A34D69A7253CD4C2D09C6F7CF9FC03597F27BC73C0BDC2
                                                                                                                          SHA-512:C25FC46CA2D8DAAD868FA2B5F1BA6CCAAC7F919C8C7CBB86952741B493D27E79EC8C7FD5F124A704B78F4197E6F3812D0FE0F64BC00117EE2AC09B41FAE85308
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................dD....\....c....^....b..........R.......5Zf...5Zb...5Z_....X........5Z]...Rich...........................PE..d....4.\.........." .................~....................................................`..........................................G..l...\H..........(.......<.......@...............................................p............................................text...-........................... ..`.rdata..Z...........................@..@.data...ph...`.......@..............@....pdata..<............X..............@..@.rsrc...(............n..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):102208
                                                                                                                          Entropy (8bit):6.071111727952987
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:8Fqz3IwGZjZ8lt0nt0NhuGO7o6LJ/TJhjYEOYULzEnr:MwYrZNQCnKhnOtthUEOYULzEr
                                                                                                                          MD5:CC0E2455CFF19B3585C9FA781428E88E
                                                                                                                          SHA1:93EC9326F0CEE4E7F385525B03DDF0DF89A409E8
                                                                                                                          SHA-256:AF24B7E339CC6B80ECF7B45050533E8227D6491EED2FD8C3FF2BF22406B027AA
                                                                                                                          SHA-512:B995CD999B36B9BD3DC8BE60A7576701CB91D18DF21934521C578047CD135C91F1027058198B1867A4D46804C0514523B370ECEC0E6691A041189011E31166A6
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..+.l.."...st.."...sK.."...sv.."...sJ.."...Z8.."..."..."....N.."...pp.."..."<.."....u.."..Rich."..................PE..d...)4.\.........."............................@....................................R.....`..................................................[..........x............p..@...............8............................7..p...............P............................text...=........................... ..`.rdata...g.......h..................@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc................d..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14366
                                                                                                                          Entropy (8bit):4.1817849062232195
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                                          MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                                          SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                                          SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                                          SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):487232
                                                                                                                          Entropy (8bit):6.340203111317007
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:MgjhSyqP1a/eVqxFxNCAiG3XyJ/2TxbfsEkhy+0F+K8lJrZdwwSvr:MglSTPaRxFdLXyJ/ebEEkx0rqJduJ
                                                                                                                          MD5:AD6C433A57BE03EE0C75076D6FE99CD5
                                                                                                                          SHA1:219EE785F2C8127DAA44B298B5B2B096FCCE8D12
                                                                                                                          SHA-256:8A180D92A2C879A3384D24A38EC8C9FD6BFD183935E61DA0B97F1C67A7EC9EA7
                                                                                                                          SHA-512:041FB9165068D0EA879632B883B3E247336A3BB159ED46AE053B60D074A0BB231FA2DEEDD6CB2BA17AACB771413A86A3F970480AF7A2311E51702288D3B9A30E
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................&.....7.......W.... .....0.....!.....:...d......'....."....Rich............................PE..d...w.[J.........." .........8......d..........t.....................................b....@..........................................4..........x....p.......@...(...P..@............!..8............................................0...............................text...O........................... ..`.rdata.......0......................@..@.data...x.... ......................@....pdata...(...@...*..................@..@.rsrc........p.......B..............@..@.reloc...............F..............@..B..[J@...+.[JK.....[JU.....[Jb...+.[JK.....[Jo.....[Jy...........msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.ole32.dll.GDI32.dll..............................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21225
                                                                                                                          Entropy (8bit):3.9923245636306675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                          MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                          SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                          SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                          SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                          Malicious:false
                                                                                                                          Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):892224
                                                                                                                          Entropy (8bit):6.044434154548935
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:qpvsrQZu8F/bY6Pgx2B8UNG2Ql20gcwtH2qMP23so2:kZ5F/bYogxJUB9cwtHFMDp
                                                                                                                          MD5:BB98224B0CB6F17D61AA24D7A46A08C5
                                                                                                                          SHA1:DB78D1161EAA0C691DF76D1B6D7CC98793007BCE
                                                                                                                          SHA-256:23A30F94360D710BB020DF76E7846AB991EDD6CA3C7F685AECF6CD1A019D451A
                                                                                                                          SHA-512:D74291E8556911B77588D63EB20DB5D6642C31FEDD9EE186AE62D53C705F0CDBE14725ECBB8FC5FE770F45DFF05731EEBB2063A33BB78DF70B73CDCF4E86C465
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y'..I...I...I..`...I..`...I...H.R.I..`...I..`...I..`...I..`...I...7...I..`...I..`...I.Rich..I.................PE..d.....[J.........." .....$...V.................v....................................O.....@........................................../..{.... .................../...~..@...........`...................................................0............................text...[".......$.................. ..`.data....5...@...0...(..............@....pdata.../.......0...X..............@..@.rsrc...............................@..@.reloc..0............j..............@..B..[J`...+.[Jk...5.[Ju.....[J......[J......[J....+.[Jk.....[J......[J......[J......[J............msvcrt.dll.NTDLL.DLL.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll...............................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):770368
                                                                                                                          Entropy (8bit):5.630939020655746
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:+kozBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLd:SzBEGbL4Np84TQazCSiRd
                                                                                                                          MD5:A0D2853BE8043F5FC4FEE04CFE5A8293
                                                                                                                          SHA1:4FDF21E578739ABB4BCC938568F27897E733E229
                                                                                                                          SHA-256:1D8C77B674F8294DB39B2CDE2873BDE5A2F6EBD65E14CAEEB58FBA94C92C1F3D
                                                                                                                          SHA-512:FC5CE23DF55EF277D6DB898D5620697A3A061A5DD9BE63145CE71B966905CAC41B9785121709A2A0DCF8F90B76F484FAB619EB8DB40A873A867468ECF1620F99
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d.....[J.........." ..........................@...........................................@.............................................................0...............@............................................................................................rsrc...............................@..@........................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):356528
                                                                                                                          Entropy (8bit):5.917051105867173
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:0g5dgFfqaKFJyHrByeUIRAHq0KzS9OAgfVgYCDlSv:0OdcUIRAHqAeX0a
                                                                                                                          MD5:BDD8AE768DBF3E6C65D741CB3880B8A7
                                                                                                                          SHA1:91B01FD48A586822C1D81CA80B950F8639CCE78C
                                                                                                                          SHA-256:602ADD77CBD807D02306DE1D0179CB71A908EECB11677116FC206A7E714AB6D6
                                                                                                                          SHA-512:7840554A66F033E556CF02772B8B3749C593657CA254E0F2DBD93B05F4600E11BA821EBA8FC038115C038B5E5AF2F8D2CF0A5AE1F1362E813CF0B5041BBBFF94
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.@.'.@.'.@....!.@.a...#.@.....&.@.a...%.@.a...*.@.a.../.@..P.. .@.'.A.T.@.a...6.@.a...&.@.a...&.@.a...&.@.Rich'.@.........PE..d...}.OR.........." .....n...........L...................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):455328
                                                                                                                          Entropy (8bit):6.698367093574994
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                                                                                                          MD5:FD5CABBE52272BD76007B68186EBAF00
                                                                                                                          SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                                                                                                          SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                                                                                                          SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):970912
                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Windows setup INFormation
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9698
                                                                                                                          Entropy (8bit):3.8395767056459316
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                                          MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                                          SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                                          SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                                          SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                                          Malicious:false
                                                                                                                          Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10134
                                                                                                                          Entropy (8bit):5.364629779133003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                          MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                          SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                          SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                          SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                          Malicious:false
                                                                                                                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):17415
                                                                                                                          Entropy (8bit):4.618177193109944
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                                          MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                                          SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                                          SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                                          SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                                          Malicious:false
                                                                                                                          Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41
                                                                                                                          Entropy (8bit):4.479503224130278
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                                          MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                                          SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                                          SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                                          SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                                          Malicious:false
                                                                                                                          Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):98650
                                                                                                                          Entropy (8bit):4.192473934109759
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                          MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                          SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                          SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                          SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):33600
                                                                                                                          Entropy (8bit):6.281064018328684
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:az2vV5RqtDcvnyQW7I+Ud26uiGKjzAVQjXzPishb8pe+7mNwSumexmMK6jcy:hgo7WcDGuB3Upe2m9uZxBKg3
                                                                                                                          MD5:BED53AB8B9E406D1A8D6A85924E44282
                                                                                                                          SHA1:19628BD3DE2BEF0EDC3622E4A7184162BD979040
                                                                                                                          SHA-256:E5A10A74CFC36A4DCFCC9B25573B92A37B55062153EF9120B93154DB5792B3DA
                                                                                                                          SHA-512:6F5C6945B0A982E8C94A826685158286D16173F51B10FDF1F5B9F4F93562240736A09B5F0997E995C0AF07360BACD51FA46CB8E4A3FA319519F3727FF87613E7
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pZ.Y4;..4;..4;...4..:;..=C'.<;..=C6.9;..4;...;..=C!.7;..=C .5;..=C1.q;......5;..=C&.5;..=C#.5;..Rich4;..........PE..L...,4.\...........!.....F...........D.......`......................................a.....@.........................pU..W....M.......p...............d..@...........................................(...@...............t............................text....E.......F.................. ..`.data...\....`.......J..............@....rsrc........p.......P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):159552
                                                                                                                          Entropy (8bit):6.178643199247813
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:VYM7lLXShoSAJzKb9P+K61JJBsJgTcqTIbMNZ3mo+aGh1G:77tK+K61vBsJKcq0bMNZPXP
                                                                                                                          MD5:F0A9D47D76E68883F04E60599EADAE6D
                                                                                                                          SHA1:8F7BB6B9E9CB70529FA4C442ABF507A2F546E6E3
                                                                                                                          SHA-256:2FAB0969C6E131834496428779A0809B97981F3E8D6FBF8A59632CB2DF783687
                                                                                                                          SHA-512:18BBD1A3899C6B2F361BFA575D50D7DA29EAEF0E1C7CB50B318CECFE3150F268C1CDF30FEB5246B9F9B5D7FE36BD4A268E06595D9D3F3D86D933F14F5C43AD43
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.q.\.q.\.q..h..].q....._.q.....P.q.....X.q.....T.q.U...].q.\.p..q.U...K.q..V..V.q..V..D.q..V..].q.Q...].q.\...].q..V..].q.Rich\.q.........PE..L....3.\...........!.....L...N.......0.......`......................................k.....@.........................P...l...............(............P..@.......< ...................................z..@............`...............................text....J.......L.................. ..`.rdata...B...`...D...P..............@..@.data....\..........................@....rsrc...(...........................@..@.reloc..< ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):87360
                                                                                                                          Entropy (8bit):6.424955012685773
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:df1NQOOvFdve0e0ZIMhn9nA2LYK7ZOgkg6znnLnx9Inz1:/Adve07RnlhRN6znDQx
                                                                                                                          MD5:66C5F108A058B515BBDDE628384990C9
                                                                                                                          SHA1:0FBADFC5106056DFD269DF5EA532F69556CAE68F
                                                                                                                          SHA-256:8D596D33CC3962B33B46D361BBC44A8088F18C09949734F3DEC54828372426AE
                                                                                                                          SHA-512:6060EF07244385516989DF3AAD1C01E9F93B7B45A247D8D70FC5BE7A62BA96BFD22F80F0C78D178443D38796A2C7148CD3ADF4EB1A5FC430DFF5BB393492901E
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&....^..&...wF..&...wy..&...wD..&...wx..&...^...&...&..0&..$.|..&...tB..&...&...&..$.G..&..Rich.&..........PE..L...$4.\.....................n....................@..........................p.......C....@.................................d........@..x............6..@....P..........8...........................P...@............................................text............................... ..`.rdata...F.......H..................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14366
                                                                                                                          Entropy (8bit):4.1817849062232195
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                                          MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                                          SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                                          SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                                          SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):383296
                                                                                                                          Entropy (8bit):6.650287803080611
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:yplBo/TK5C+psQzJzCSX6hjg+4GRr3CoA7f3j5G+hinZ5P31uGX7Zum8oyk7lATI:O0/djgEUhWnJ2UlxqOttoICvPn/318Sm
                                                                                                                          MD5:C3F39388BD4E6763F9734BC617388A17
                                                                                                                          SHA1:AF5B4753F99C3F115294662876D7191DC8652786
                                                                                                                          SHA-256:4D1F6A595889165B6A14B68D848C639748C9750C165BB4515CA3C3C67B4BA462
                                                                                                                          SHA-512:BD8D00461E65F156686B0FC799926897845900F072F7AC10B66387E041CC7D3810ADBFB0137E9EA7B24995A11D324707D9E0FCD699D36E62ED089F46CC5ABA58
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3g..3g..3g..:.;.4g..3g...g..:.=.8g..:.<.2g..:.-..g..:.*.sg.....2g..:.:.2g..:.?.2g..Rich3g..........................PE..L...$.[J...........!................-..............m................................Z!....@....................................x.......................@...............8............................t..@.......|.......`............................text...k........................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..Bo.[J8...K.[JC.....[JP.....[J].....[Jg.....[Jq...........msvcrt.dll.WINSPOOL.DRV.KERNEL32.dll.NTDLL.DLL.ole32.dll.GDI32.dll..............................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21225
                                                                                                                          Entropy (8bit):3.9923245636306675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                          MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                          SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                          SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                          SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                          Malicious:false
                                                                                                                          Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):755520
                                                                                                                          Entropy (8bit):6.198681499104638
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:IlIoM3g2e9Bg7Lg3yfKDPc97QpAxuKdwSGnZGxn:IvM36KkyCLW7QCwSGon
                                                                                                                          MD5:0822EE0FF996BEB2B31EBBDD6449231B
                                                                                                                          SHA1:7DF7F4978F3C4728CAEF9F95C6EB6C0D8CF8FDAC
                                                                                                                          SHA-256:D727150FA7853748655E9CAA9F19F633E33BD191284703D6609984A64CB39CAB
                                                                                                                          SHA-512:A47D25901FAD0507167E241350EC12C8D545F3F932E1B44E5F167A82263BCB97DA06B09454E8DE815EFC445088F2B1011028C3EAE5BF3F55FACAA3D9EC082815
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..wf..$f..$f..$o.%$n..$f..$...$o.#$u..$o.3$8..$o."$g..$o.4$...$AZ.$g..$o.$$g..$o.!$g..$Richf..$................PE..L......L...........!.....2...2......e........@....(p.....................................@.............................{....3.......p...............h..@....`...0...@..8...............................@............................................text...E1.......2.................. ..`.data........P.......6..............@....rsrc........p.......T..............@..@.reloc...0...`...2...6..............@..B..LX......Lc...o..Ln...&..Lx.....L....n..L....%..L....K..L.......L....r..L............msvcrt.dll.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll.......................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):770368
                                                                                                                          Entropy (8bit):5.629918098777896
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:tkoGBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLC:LGBEGbL4Np84TQazCSiRC
                                                                                                                          MD5:385152D096A96D1966C1042EDE38114F
                                                                                                                          SHA1:A42D0587A2BF156C3F757778397A2E7AC8122E3C
                                                                                                                          SHA-256:5A22FE5AF587540A9840E4F2A515564A2478DDA47AC1C81B687AC2F59C4C2FD0
                                                                                                                          SHA-512:483E8819C6C5C1BCF725A4D6513364A5EE054E1D9100A8F42FFD2DBBFD52910CCA8E6DAF4435103C75AA2EBCA5A608BCC76EE6C531EA67C723267D9445D40256
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L......L...........!..............................@.......................................@............................................................@............................................................................................rsrc...............................@..@........................................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):247984
                                                                                                                          Entropy (8bit):6.601853231729306
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:+SsS5fv6EATwqlGwyfDyodYI3ZubfW5nb2PQuW0x:+I5fv6EATwqlGwyfDyodYI3Zv1C
                                                                                                                          MD5:69837E50C50561A083A72A5F8EA1F6A2
                                                                                                                          SHA1:1A4B4C6C3CB6A5164CC1018AC72D0300455B3D8F
                                                                                                                          SHA-256:9C9D4E421C55F7EF4E455E75B58A6639428CCD75C76E5717F448AFE4C21C52BC
                                                                                                                          SHA-512:FD20C6B4EEC972C775681AD7322769D5074108D730727051EF77D779A277D77B12419E1FEE1E2EC0CF376A235573A85AD37975245DBF078DE467953AFD02164A
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0p..Q..Q..Q..)..Q......Q......Q......Q......Q..P...Q..Q...Q......Q......Q......Q......Q..Rich.Q..........PE..L....OR.........."!.................4...............................................:....@.............................e=...A.......`...................>...p...R..0................................/..@............@...............................text............................... ..`.data...xp.......n..................@....idata.......@......."..............@..@minATL.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc...R...p...T...6..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):52312
                                                                                                                          Entropy (8bit):6.450469916547452
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:MsmrWdCS5PvBHOUYTKJgr0OMpqdBwFrGjYBZyIh9rOQ:Mza/pu/TKJ/OMpTryYzyMCQ
                                                                                                                          MD5:4E84DF6558C385BC781CDDEA34C9FBA3
                                                                                                                          SHA1:6D63D87C19C11BDBFA484A5835FFFFD7647296C8
                                                                                                                          SHA-256:0526073F28A3B5999528BFA0E680D668922499124F783F02C52A3B25C367EF6D
                                                                                                                          SHA-512:C35DA0744568BFFFEFF09E6590D059E91E5D380C5FEB3A0FBC5B19477CECA007A882884A7033345CE408FCE1DEAC5248AD9B046656478D734FE494B787F8A9F2
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...r.;`.....................$...................@..........................`....................................... ..q............P..................X....@..................................................................$....................text............................... ..`.itext.............................. ..`.data...<...........................@....bss.....5...............................idata..............................@....didata.$...........................@....edata..q.... ......................@..@.rdata..E....0......................@..@.reloc.......@......................@..B.rsrc........P......................@..@.............`......................@..@........................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9223040
                                                                                                                          Entropy (8bit):6.355581719432468
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:196608:vL7NqnDg0293wsNAXayRDfxihAYOjPTJ3kx+q8ZJPyv1wbl3bc2EeJUO9WLcb0K:9lOJDm1Wrc2EeJUO9WLcbN
                                                                                                                          MD5:8A9BDA9B9A84BD1551A09B65DFBC0C74
                                                                                                                          SHA1:14FB48758D664917D789C21DCCB26D9D987F099F
                                                                                                                          SHA-256:1D0F8C96F77C339A5F01822B9375131B0B0A49D6CAC45589CDB4B749DAA79773
                                                                                                                          SHA-512:BBFB78B3652532E97F66E2DE7BFBEEFCB59254D9E626C62FF1B2E735AF2549B5483AB07739F6C9A686304C5042CDA79312028293959500BAC2A1EFE91B7732DB
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..f..i.t......!...*.~G...e..0............G...(m..........................j..........@... ......................Pc......`c.0"....c.............x..../....c............................`.S.....................|ec..............................text....}G......~G.................`..`.data...,o....G..p....G.............@....rdata........H..0....G.............@..@/4...........0U......$U.............@..@.bss......... c..........................edata.......Pc.......c.............@..@.idata..0"...`c..$....c.............@....CRT....0.....c......8c.............@....tls..........c......:c.............@....rsrc.........c......<c.............@..@.reloc.......c......@c.............@..B/14..........`f.......e.............@..B/29..........pf.......e.............@..B/41......b...0h..d....g.............@..B/55...........h.......g.............@..B/67..........`i.......h.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7137640
                                                                                                                          Entropy (8bit):6.481515443983134
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:ZRE7yGktThDyt6666666666666666666666666666666x666666666666666fww8:XGktThD0TGh/fTCRwlRvZG3XYBVX1
                                                                                                                          MD5:0DF9039CE4896584A206A40F48A07C6A
                                                                                                                          SHA1:34F0F9AEFD5E37B6B02D062B8AB967DC0F3D2F21
                                                                                                                          SHA-256:1DDE27F0410E59561EAB79A6C8EF6DF2ACEC52E92C9AC646135CD91940F2BE05
                                                                                                                          SHA-512:FCF74DD6BF3491D2E56A963ABF028EDA8DF17C11ABB793E6E3DAAD3C1E6C1AEE2F731B23CE243872B588CDF7B1B6382804F6B5204DFFC04F266BE3A329945FA4
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f..T.i......!...*.(E..*Q..:...........@E...0g..........................U.....7.m...@... ......................`P......pP.......P.............`.l../....P..#...........................FH......................rP.L............................text...`.E.......E.................`..`.rodata.@....0E......$E............. ..`.data...,(...@E..*....E.............@....rdata.......pE......XE.............@..@/4......L.....I.......H.............@..@.bss....X9... P..........................edata.......`P.......O.............@..@.idata.......pP.......O.............@....CRT....0.....P.......P.............@....tls..........P.......P.............@....rsrc.........P.......P.............@..@.reloc...#....P..$....P.............@..B/14...........Q......:Q.............@..B/29...........Q......BQ.............@..B/41......Y....S..Z....R.............@..B/55...........S......(S.

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11132168
                                                                                                                          Entropy (8bit):6.740943395722077
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:196608:kngOxqtJKXthIbi0EFrJIj35fGsX1bdXtK:kgOxqtQOUJ85jFhXQ
                                                                                                                          MD5:CB9BE257064162076EBD4869CD97E166
                                                                                                                          SHA1:49A8CACD48036784A413D63A242ED178BD75CBE9
                                                                                                                          SHA-256:8A3822D52B4D460430B9E8E0FA6E6BD2C458598E4DBC2529DF7F2BDF902D2DD2
                                                                                                                          SHA-512:013B7E7CCC77531C0D6FA81083B2F16CD0A2B2124105B2F855A478F1F114D3DBA75259B82596645E6BABD91E129E7F7F60AA85ECA32BD95F454B1A8A63B52EFB
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................H...b#.....DW.......`....@.................................!....@......@..............................RX...@..|................/.......v......................................................t........w...................text............................. ..`.itext...X.......Z................. ..`.data...\....`.......L..............@....bss....................................idata..RX.......Z.................@....didata..w.......x...4..............@....edata..............................@..@.tls....h................................rdata..]...........................@..@.reloc...v.......v..................@..B.rsrc...|....@.......&..............@..@....................................@..@................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21764872
                                                                                                                          Entropy (8bit):6.6100525724973656
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:KEpVg+4nw7m2R8VLgZDMwyA7FWBdlY74ZV:tZR8VLg8AGYs
                                                                                                                          MD5:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          SHA1:710C0369915390737ED9BC19252F517D2D2939ED
                                                                                                                          SHA-256:DE0FA71C1CFF03D657CB65A86072E964060C628AA4EB709CBE914DD772EF298D
                                                                                                                          SHA-512:219D6307697CB12FA56020E6B2DC8FF5D13904FD318E2ED3646B294FAA1A613D838D0350E59B911023EA6F6D62CE53E402F975CAD4311D9A7DA58BD675AE2DB6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................4....R.....<N.......P....@..........................`X.......L...@......@...............................b....!.8X7...........K../...0..`............................ ...............................p..:....................text............................... ..`.itext..`........................... ..`.data........P.......8..............@....bss.....................................idata...b.......d..................@....didata.:....p.......8..............@....edata..............................@..@.tls....h................................rdata..].... ......................@..@.reloc..`....0......................@..B.rsrc...8X7...!..Z7.................@..@..............G.......:.............@..@................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):388696
                                                                                                                          Entropy (8bit):6.639766301981685
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:YIIDyjBnydesbWoiwS7dVIclCzoqHO/gCaEkkH8TuX6RTrWD4siZMZ+LG4IPWwc8:YI8tiDOzyH9H8Tu6h04fZMZoMPuvfj0h
                                                                                                                          MD5:E247666CDEA63DA5A95AEBC135908207
                                                                                                                          SHA1:4642F6C3973C41B7D1C9A73111A26C2D7AC9C392
                                                                                                                          SHA-256:B419ED0374E3789B4F83D4AF601F796D958E366562A0AAEA5D2F81E82ABDCF33
                                                                                                                          SHA-512:06DA11E694D5229783CFB058DCD04D855A1D0758BEEAA97BCD886702A1502D0BF542E7890AA8F2E401BE36CCF70376B5C091A5D328BB1ABE738BC0798AB98A54
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................g......"............#.O...T8.....T8..................T8.....'....................Rich............................PE..L...v..T...........!..... ...........2.......0......................................A...............................@q.......q..........................X........(...1..8............................U..@............0...............................text............ .................. ..`.rdata...J...0...L...$..............@..@.data...H>...........p..............@....rodata.............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1640536
                                                                                                                          Entropy (8bit):6.686577023894573
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwww3:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSZ
                                                                                                                          MD5:D5C2A6AC30E76B7C9B55ADF1FE5C1E4A
                                                                                                                          SHA1:3D841EB48D1A32B511611D4B9E6EED71E2C373EE
                                                                                                                          SHA-256:11C7004851E6E6624158990DC8ABE3AA517BCAB708364D469589AD0CA3DBA428
                                                                                                                          SHA-512:3C1C7FB535E779AC6C0D5AEF2D4E9239F1C27136468738A0BD8587F91B99365A38808BE31380BE98FD74063D266654A6AC2C2E88861A3FE314A95F1296699E1D
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:J<A[$oA[$oA[$o...o@[$o...o.[$o...op[$o...o.[$o...oC[$o...oL[$oA[%o.[$oA[$op[$o...o@[$oL..o.[$oL..o@[$oL..o@[$oL..o@[$oRichA[$o................PE..L...}..T...........!.........>.......*..............................................5.......................................(............7..............X..............................................@............................................text............................... ..`.rdata..............................@..@.data...$r......."..................@....rodata.............................@..@.rsrc....7.......8...0..............@..@.reloc..............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):265816
                                                                                                                          Entropy (8bit):6.521007214956242
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:MW218gr7s2yIHB0pTPdTX9zUbEbStE97zjAs1RtTcJTfIv0se7POWu/HgsGU1VTl:MWSfr7sXSmPDbKPJ6/AsNk+1x
                                                                                                                          MD5:49C51ACE274D7DB13CAA533880869A4A
                                                                                                                          SHA1:B539ED2F1A15E2D4E5C933611D736E0C317B8313
                                                                                                                          SHA-256:1D6407D7C7FFD2642EA7F97C86100514E8E44F58FF522475CB42BCC43A1B172B
                                                                                                                          SHA-512:13440009E2F63078DCE466BF2FE54C60FEB6CEDEED6E9E6FC592189C50B0780543C936786B7051311089F39E9E3CCB67F705C54781C4CAE6D3A8007998BEFBF6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@~..!..!..!...p...!...p..!...p..+!..M...!..M...!..!...!..M...!..s..!..s..!..s..!..s..!..Rich.!..................PE..L...{..T...........!.........N.......k.......................................0..............................................4...x.......................X......../..................................Ha..@...............l............................text............................... ..`.rdata..v...........................@..@.data....B......."..................@....rsrc...............................@..@.reloc.../.......0..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):373336
                                                                                                                          Entropy (8bit):6.7704943019914845
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:faoH9sDRlDLD0GDkEp00tc6TKUOmrRK1jRsAOO04sAO88RtOd:noPH0GgEp0gVd1ValsQXsHOd
                                                                                                                          MD5:EDA07083AF5B6608CB5B7C305D787842
                                                                                                                          SHA1:D1703C23522D285A3CCDAF7BA2EB837D40608867
                                                                                                                          SHA-256:C4683EB09D65D692CA347C0C21F72B086BD2FAF733B13234F3A6B28444457D7D
                                                                                                                          SHA-512:BE5879621D544C4E2C4B0A5DB3D93720623E89E841B2982C7F6C99BA58D30167E0DD591A12048ED045F19EC45877AA2EF631B301B903517EFFA17579C4B7C401
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Mm..,...,...,...}...,...}...,...}...,.......,.......,...,..,.......,...~...,...~...,...~...,...~...,..Rich.,..........................PE..L...t..T...........!................b.....................................................@..........................M......@N..d.......0...............X.......d&..................................p/..@...............T............................text...=........................... ..`.rdata...E.......F..................@..@.data...|<...`.......H..............@..._RDATA...............d..............@..@.rsrc...0............j..............@..@.reloc..d&.......(...n..............@..B........................................................................................................................................................................................................................................................

                                                                                                                          C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):880216
                                                                                                                          Entropy (8bit):5.239371133407635
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:vTAPYZEyRr+NDnaLyx2lz8MSjtX08pYRc29qcQmsGahsQZsbRN9S:YYF+Eyx2lzujtEIYRc1cQmsGa7ON9S
                                                                                                                          MD5:642DC7E57F0C962B9DB4C8FB346BC5A7
                                                                                                                          SHA1:ACEE24383B846F7D12521228D69135E5704546F6
                                                                                                                          SHA-256:63B4B5DB4A96A8ABEC82B64034F482B433CD4168C960307AC5CC66D2FBF67EDE
                                                                                                                          SHA-512:FB163A0CE4E3AD0B0A337F5617A7BF59070DF05CC433B6463384E8687AF3EDC197E447609A0D86FE25BA3EE2717FD470F2620A8FC3A2998A7C3B3A40530D0BAE
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A....u...u...u..C$G.3u..C$y.Iu..C$x..u...V..u...S..u...u..ju...H..u...'}.&u...'D..u...'C..u...'F..u..Rich.u..........................PE..L...s..T...........!.........R..............0......................................:W....@.........................`...........d....P..p............R..X....`...D......................................@............0..T............................text...}........................... ..`.rdata.......0......."..............@..@.data...|<..........................@..._RDATA.......@......................@..@.rsrc...p....P......................@..@.reloc...D...`...F..................@..B........................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):1.3073724948558019
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrx:KooCEYhgYEL0In
                                                                                                                          MD5:F3A63A4A2425402C86952095E8E8A445
                                                                                                                          SHA1:077B9A5BCF41F76966A1D172FB844E494F955D08
                                                                                                                          SHA-256:E581DD1535049A05609651E74CDAB9FF39E37DDD2DBAC52CE62EA66B8D0DBE15
                                                                                                                          SHA-512:8EEBB7A98B0F76E6B587E3650147667C80FAF349E3AE35D0CABC754AE788D356DB2AF7CB3131253195BE2AC2A234891BF23A734C22D621E06E1CF949E53AB576
                                                                                                                          Malicious:false
                                                                                                                          Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x425ee8b2, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.4221426327389239
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
                                                                                                                          MD5:09A377689EF7280BFC9D78A7B0E8D3C9
                                                                                                                          SHA1:0D022BBF5F0DEDD5C3A1A88D701C32739013D52E
                                                                                                                          SHA-256:4A3923AAEF275EE529A1B4518E75C7923104FED4A923CBBA088D6092FB915F34
                                                                                                                          SHA-512:200C84B1386B344BAB2ADBA8825CA0B45FBDB3C0014F63EF24B1EB6DAA39FC135B9968FA90343734EA7E22297016FA4565ED6BD49034AFEC8F06474B88511E1E
                                                                                                                          Malicious:false
                                                                                                                          Preview:B^.... .......A.......X\...;...{......................0.!..........{A.3#...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................$..C3#...|......................3#...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16384
                                                                                                                          Entropy (8bit):0.07684830299345699
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:ebm//EYehpoluajn13a/SbdCzl/llollcVO/lnlZMxZNQl:ebW/Ezhpda53qSRCzl/AOewk
                                                                                                                          MD5:F5010BDC88699453C3630E91D520DF4B
                                                                                                                          SHA1:3130584A4F6B6AB14BF3E05625BEE04BB830CD0D
                                                                                                                          SHA-256:3CC9CEDFB9988AE8F31E96088558B2A442130F39C32CC3073B1534CE9A7EEAA8
                                                                                                                          SHA-512:25E1288EF16C6334DC38CC141A9406FB63EE07016AA79842EC1E384F8A22C609B340163E13BB6B90D17FC09E3A20553F450C6CFCC577B287F81D478479C379F5
                                                                                                                          Malicious:false
                                                                                                                          Preview:/.W......................................;...{..3#...|.......{A..............{A......{A..........{A]....................3#...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Remote Manipulator System\Logs\rms_log_2024-12.html

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:HTML document, ASCII text, with CR line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6337
                                                                                                                          Entropy (8bit):5.409863846728471
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:lr0xccoJxML6RLidRLi1ong4KpECYddWl:lzcWS6pidpiog4KpExdMl
                                                                                                                          MD5:32A06A33EFBC61CCA6C192A082455540
                                                                                                                          SHA1:2DE6E3B2753846BEFCB619CFB2D42570E82B68DC
                                                                                                                          SHA-256:A5A015B6DB777868FA1010540EFBB9E16C6146E0566EDB7DEB50C311C1EB6E94
                                                                                                                          SHA-512:98C5309C8AD77A03604967ECAD06840DF96F352DE38211D39E7F2E4CDD26D2DFE30608CF0EC37ECC889FBCC6C7E1A9B6D7DA1B6C9EC8C5B7A21B613F7D585729
                                                                                                                          Malicious:false
                                                                                                                          Preview:<head>.<meta http-equiv="content-type" content="text/html; charset=utf-8" />.<meta name="copyright" content="TektonIT" />.<meta name="description" content="Remote Manipulator System - Server software, event log. Tektonit.com" />.<title>RMS &ndash; host log</title>.<style type="text/css">.body {.font-family: Courier New, monospace;.font-size: 100%;.background-color: #FFFFFF;.} .h1 {.font-size: 130%;.margin: 0px 0px 0px 0px;.} .textarea {.display: none;.margin-top: 5px;.width: 100%;.} ..main_table td {.border: 1px dashed #DADADA;.} ..e_l_0 {.background-color: #4c4cff;.border: 1px solid red;.} ..e_l_1 {.background-color: #fff04c;.border: none;.} ..e_l_2 {.background-color: #ffa94c;.border: none;.} ..e_l_3 {.background-color: #fc2727;.border: none;.} .#log_header td {.font-weight: bold;.} .#subheader {.font-size: 70%;.color: #DADADA;.margin-bottom: 10px;.} .</style>.<script language="javascript">.function show_textarea(elem) {.var parent_node = elem.parentNode;.var nodes = parent_node.chil

                                                                                                                          C:\ProgramData\Remote Manipulator System\install.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):333
                                                                                                                          Entropy (8bit):5.034371350159265
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:oYLmKRL/9YLdd/ao9YLhHujHO7eVVYLwmnXjKV9YLOLGeXkRLNWy:oYfjYDSo9Y9Be/YRTiY6r06y
                                                                                                                          MD5:0E7D0B940AD2724F91016106DC5E7EC1
                                                                                                                          SHA1:F7D3D44DC9F90FB532648B38D6189B0E0892F50D
                                                                                                                          SHA-256:C39CCDF3DD1F7FFE03555F782CB89F401B4B02B629D59DA0AFD4656A7256F7DF
                                                                                                                          SHA-512:CB0D40FE7192F89088D96C1D1EC128E9AE26DEF5671568E5F170A5DB3541474B937752B1E19FAA137B3E50C044D2E5F9188BE9DD6BCC44BF7664BE692B79C1A3
                                                                                                                          Malicious:false
                                                                                                                          Preview:03-12-2024_06:36:05#T:SilentInstall: installation 70270..03-12-2024_06:36:05#T:SilentInstall: NTSetPrivilege:SE_DEBUG_NAME:false. OK..03-12-2024_06:36:05#T:SilentInstall: OpenService: service not found_1. OK..03-12-2024_06:36:05#T:SilentInstall: CreateService. OK..03-12-2024_06:36:05#T:SilentInstall: finished (installation) 70270..

                                                                                                                          C:\ProgramData\Remote Manipulator System\msi\70270_{77817ADF-D5EC-49C6-B987-6169BBD5345B}\Word.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26864640
                                                                                                                          Entropy (8bit):7.924911310016854
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                          MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                          SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                          SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                          SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):338
                                                                                                                          Entropy (8bit):3.4429729233531714
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:kKYW8Y2JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:nFlkPlE99SCQl2DUevat
                                                                                                                          MD5:6345F428A66E4BC4B4C1EBF4625C42DC
                                                                                                                          SHA1:2E51DF5CAC7ED515B311B51CD97F518CA716151A
                                                                                                                          SHA-256:CC865294F6827335347C365E173FCBDB12094B0BA63A8E14A436FF6FE644A050
                                                                                                                          SHA-512:5A6356536DC4E90BE582BC28BDF88935A220167B18CBBB105BA4547821D98EA0B5F8D0A5A939E46442BBB9BD8FA56B78BDD27603CF87755154A614DE77151AC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ........Bd..wE..(...................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):521377
                                                                                                                          Entropy (8bit):4.9084889265453135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                                                          MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                                                          SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                                                          SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                                                          SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):773040
                                                                                                                          Entropy (8bit):6.55939673749297
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                                                          MD5:4296A064B917926682E7EED650D4A745
                                                                                                                          SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                                                          SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                                                          SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2278
                                                                                                                          Entropy (8bit):3.839556199891144
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uiTrlKxsxxwzxl9Il8uZVWC0aE60h2RLvY7Foyf3Uypd1rc:vQ3YPf0aEXweff3a
                                                                                                                          MD5:9B327515DF5B3D747C5B2591A2EA9AE9
                                                                                                                          SHA1:97FE441D989777CF3FB31AB4F0E721024EBC62D3
                                                                                                                          SHA-256:BEBF74FCE0451C64010FCBD6A6B1693908D92B3AC6E5EA0C77A1BC03FEB8B66F
                                                                                                                          SHA-512:5672560DB852E150DB861356162C0B2CEF4B716AB86E61FEF37A22AFFE711E071BC2D29D976DFB61B6E2BED3599CFDF238F0054D2A98CDCCE8D6285A66596D12
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.L.H.W.5.H.9.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.A.w.1.v.1.w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2684
                                                                                                                          Entropy (8bit):3.907667986975373
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uiTrlKxJxixl9Il8uZnVImql5mtvVpqtOeod/vc:LYPVpqlIttQAex
                                                                                                                          MD5:6F26CBECCE8F510A58FA603D7D97526E
                                                                                                                          SHA1:3092BC387D36205E953557BA87271A9A65D27D80
                                                                                                                          SHA-256:3E80A99334DC379D93431E44C296892CD237D88A436D23E7432179F87BE0117A
                                                                                                                          SHA-512:50058B9078F8F0433FDDAFE731D8C70D387C39CA9DC0972F0AF21BDD29A284C49966AD05F2A056C0DADE4B7187FF6411E5496B8097A38840DA06105D061C563E
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".n.C.F.u./.E.h.k.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.A.w.1.v.1.w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4542
                                                                                                                          Entropy (8bit):3.999384233954143
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uiTrlKxxxxxD9Il8uZjRTa4PU4O0U/OPNDxnckHBkYYnFDaI00+t1jeX7hRPIsaO:WYPhhCgFhktnF+I00QyjP2Ra5D
                                                                                                                          MD5:4BBA4010041BF9A8A3434AE73042844D
                                                                                                                          SHA1:9FA2AC0AD1CA788A08DB42E0600A70F7E60F3EF1
                                                                                                                          SHA-256:6407B1AAB8E5E070007E346E797519FB54261642F68CC45BC8E3EFC02A87D253
                                                                                                                          SHA-512:1F1ABFDBCC21F8E2DE8A085BB2B574AD6063F889841530B5432562D85A11FC8711E03ED7B45537312365B352635B5A3E184D26E944F7211867F4A0D175B9471F
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".t.Z.u.s.y.n.d.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.A.w.1.v.1.w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F7998BA6.jpeg

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1428x2020, components 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):217242
                                                                                                                          Entropy (8bit):7.641248072397463
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:0yKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGq:0yKKhEKBSf/vv8vyNjz9oltkyY2
                                                                                                                          MD5:6CFFBB054A1BD06B3B1018684467A551
                                                                                                                          SHA1:347CECCBDFCE4CB2AA96F90735C2F5975E9ABC3F
                                                                                                                          SHA-256:E0967AD8F4F2DF25AD1343AABF1C144E48D83BC3E61E2122F5BBF9A83EA63709
                                                                                                                          SHA-512:24726671FEFA5228737C2E3E2CC159ECA90CD770022051A07C4C059B5378DA251E70568C956CB00631E12424FF5218E7A9A9BE30B0F4D47C277FC470218F88F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:(......(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BA8DC9D3-82D4-4DC7-85B6-C8FFD3B9D3D1}.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1536
                                                                                                                          Entropy (8bit):0.09783851312991518
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:llmn/lLfn:YZn
                                                                                                                          MD5:881EE5BD27A267B0F01FD15E90AC4309
                                                                                                                          SHA1:39D217D0F4BDE69A9A163E9F6C5728FDE81907F7
                                                                                                                          SHA-256:90305EA213DDD5187AC57A744160391E8F9CD88FE8C355170291294739AAE912
                                                                                                                          SHA-512:870D03A7DE2D66778F5199708387802196419BCA134EF50F6279715EC0EEFCB01AAE209ABCB790397A855301409EC6403A3B002214CB5B07153AD4CBD7B556B7
                                                                                                                          Malicious:false
                                                                                                                          Preview:../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733225749483515200_B905CDA2-FB38-4D49-B137-0F8261986241.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20971520
                                                                                                                          Entropy (8bit):0.015382612512240953
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:TDT/RCULVPONrjVTcM0KEf3TWRepyxlIvMBn:3
                                                                                                                          MD5:05AFC25EA56727D7A3F128EC3042450F
                                                                                                                          SHA1:E737BBCA8CC48DBC380C4C93E8941A1E00B44C32
                                                                                                                          SHA-256:C998123750503A655FCB5215D93AEBB619068B7DD8CD4213724208E5A91F73B3
                                                                                                                          SHA-512:4B89AB980AFF9DFE760954049A15A824F26B3170B3A10E8495FA321741DC2FA1A6AAA4C5A6484803513202E85E3F382E0F0E00D61D9F80E83A9484CCA2A93C90
                                                                                                                          Malicious:false
                                                                                                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/03/2024 11:35:50.180.WINWORD (0x1E50).0x1ED8.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-03T11:35:50.180Z","Contract":"Office.System.Activity","Activity.CV":"os0FuTj7SU2xNw+CYZhiQQ.7.1","Activity.Duration":159,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/03/2024 11:35:50.180.WINWORD (0x1E50).0x1ED8.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-03T11:35:50.180Z","Contract":"Office.System.Activity","Activity.CV":"os0FuTj7SU2xNw+CYZhiQQ.7","Activity.Duration":2624,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733225749484240800_B905CDA2-FB38-4D49-B137-0F8261986241.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20971520
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                          Malicious:false
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD141.tmp\Frame.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):523048
                                                                                                                          Entropy (8bit):7.715248170753013
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                          MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                          SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                          SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                          SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD141.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):276
                                                                                                                          Entropy (8bit):3.5159096381406645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                                                          MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                                                          SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                                                          SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                                                          SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD1612.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):274
                                                                                                                          Entropy (8bit):3.4699940532942914
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                                                          MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                                                          SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                                                          SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                                                          SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD1612.tmp\Insight design set.dotx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3465076
                                                                                                                          Entropy (8bit):7.898517227646252
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                          MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                          SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                          SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                          SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD1651.tmp\Vapor_Trail.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3611324
                                                                                                                          Entropy (8bit):7.965784120725206
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                          MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                          SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                          SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                          SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD1651.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):288
                                                                                                                          Entropy (8bit):3.5359188337181853
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                                                          MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                                                          SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                                                          SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                                                          SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD183.tmp\Parcel.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):608122
                                                                                                                          Entropy (8bit):7.729143855239127
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                          MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                          SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                          SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                          SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD183.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):278
                                                                                                                          Entropy (8bit):3.516359852766808
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                                                          MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                                                          SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                                                          SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                                                          SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD194.tmp\Metropolitan.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):777647
                                                                                                                          Entropy (8bit):7.689662652914981
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                          MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                          SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                          SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                          SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD194.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):290
                                                                                                                          Entropy (8bit):3.5091498509646044
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                                                          MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                                                          SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                                                          SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                                                          SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD232.tmp\Parallax.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):924687
                                                                                                                          Entropy (8bit):7.824849396154325
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                          MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                          SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                          SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                          SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD232.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):282
                                                                                                                          Entropy (8bit):3.51145753448333
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                                                          MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                                                          SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                                                          SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                                                          SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD2A3.tmp\Quotable.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):966946
                                                                                                                          Entropy (8bit):7.8785200658952
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                          MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                          SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                          SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                          SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD2A3.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):282
                                                                                                                          Entropy (8bit):3.5323495192404475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                                                          MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                                                          SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                                                          SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                                                          SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD2C3.tmp\Wood_Type.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1649585
                                                                                                                          Entropy (8bit):7.875240099125746
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                          MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                          SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                          SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                          SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD2C3.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):284
                                                                                                                          Entropy (8bit):3.5552837910707304
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                                                          MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                                                          SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                                                          SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                                                          SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD332.tmp\Berlin.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):976001
                                                                                                                          Entropy (8bit):7.791956689344336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                          MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                          SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                          SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                          SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD332.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):278
                                                                                                                          Entropy (8bit):3.5270134268591966
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                                                          MD5:327DA4A5C757C0F1449976BE82653129
                                                                                                                          SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                                                          SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                                                          SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD46D.tmp\Gallery.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1091485
                                                                                                                          Entropy (8bit):7.906659368807194
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                          MD5:2192871A20313BEC581B277E405C6322
                                                                                                                          SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                          SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                          SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD46D.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):280
                                                                                                                          Entropy (8bit):3.5301133500353727
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                                                          MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                                                          SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                                                          SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                                                          SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD4AD.tmp\Circuit.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1463634
                                                                                                                          Entropy (8bit):7.898382456989258
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                          MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                          SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                          SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                          SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD4AD.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):280
                                                                                                                          Entropy (8bit):3.5286004619027067
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                                                          MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                                                          SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                                                          SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                                                          SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD4FD.tmp\Savon.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1204049
                                                                                                                          Entropy (8bit):7.92476783994848
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                          MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                          SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                          SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                          SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD4FD.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):276
                                                                                                                          Entropy (8bit):3.5364757859412563
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                                                          MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                                                          SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                                                          SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                                                          SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD657.tmp\Droplet.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1750795
                                                                                                                          Entropy (8bit):7.892395931401988
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                          MD5:529795E0B55926752462CBF32C14E738
                                                                                                                          SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                          SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                          SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCD657.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):280
                                                                                                                          Entropy (8bit):3.528155916440219
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                                                          MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                                                          SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                                                          SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                                                          SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDABF.tmp\Slate.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2357051
                                                                                                                          Entropy (8bit):7.929430745829162
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                          MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                          SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                          SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                          SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDABF.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):276
                                                                                                                          Entropy (8bit):3.516423078177173
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                                                          MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                                                          SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                                                          SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                                                          SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDAEF.tmp\Damask.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2218943
                                                                                                                          Entropy (8bit):7.942378408801199
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                          MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                          SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                          SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                          SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDAEF.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):278
                                                                                                                          Entropy (8bit):3.544065206514744
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                                                          MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                                                          SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                                                          SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                                                          SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDC0.tmp\Banded.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):562113
                                                                                                                          Entropy (8bit):7.67409707491542
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                          MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                          SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                          SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                          SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDC0.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):278
                                                                                                                          Entropy (8bit):3.535736910133401
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                                                          MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                                                          SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                                                          SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                                                          SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDC1.tmp\Basis.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):558035
                                                                                                                          Entropy (8bit):7.696653383430889
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                          MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                          SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                          SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                          SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDC1.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):276
                                                                                                                          Entropy (8bit):3.5361139545278144
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                                                          MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                                                          SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                                                          SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                                                          SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDDFE.tmp\Main_Event.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2924237
                                                                                                                          Entropy (8bit):7.970803022812704
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                          MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                          SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                          SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                          SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDDFE.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):286
                                                                                                                          Entropy (8bit):3.5434534344080606
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                                                          MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                                                          SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                                                          SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                                                          SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDE6E.tmp\Mesh.thmx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3078052
                                                                                                                          Entropy (8bit):7.954129852655753
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                          MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                          SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                          SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                          SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDE6E.tmp\content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):274
                                                                                                                          Entropy (8bit):3.5303110391598502
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                                                          MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                                                          SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                                                          SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                                                          SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD66.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):260
                                                                                                                          Entropy (8bit):3.4895685222798054
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                                                          MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                                                          SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                                                          SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                                                          SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD66.tmp\VaryingWidthList.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3075
                                                                                                                          Entropy (8bit):7.716021191059687
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                          MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                          SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                          SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                          SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD67.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238
                                                                                                                          Entropy (8bit):3.472155835869843
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                                                          MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                                                          SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                                                          SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                                                          SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD67.tmp\rings.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5151
                                                                                                                          Entropy (8bit):7.859615916913808
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                          MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                          SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                          SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                          SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD78.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254
                                                                                                                          Entropy (8bit):3.4845992218379616
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                                                          MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                                                          SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                                                          SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                                                          SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD78.tmp\HexagonRadial.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6024
                                                                                                                          Entropy (8bit):7.886254023824049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                          MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                          SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                          SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                          SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD79.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):262
                                                                                                                          Entropy (8bit):3.4901887319218092
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                                                          MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                                                          SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                                                          SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                                                          SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD79.tmp\RadialPictureList.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5596
                                                                                                                          Entropy (8bit):7.875182123405584
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                          MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                          SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                          SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                          SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD7B.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):332
                                                                                                                          Entropy (8bit):3.547857457374301
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                                                          SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                                                          SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                                                          SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFD7B.tmp\harvardanglia2008officeonline.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):284415
                                                                                                                          Entropy (8bit):5.00549404077789
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                          MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                          SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                          SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                          SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA0.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254
                                                                                                                          Entropy (8bit):3.4721586910685547
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                                                          MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                                                          SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                                                          SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                                                          SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA0.tmp\chevronaccent.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4243
                                                                                                                          Entropy (8bit):7.824383764848892
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                          MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                          SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                          SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                          SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA2.tmp\BracketList.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4026
                                                                                                                          Entropy (8bit):7.809492693601857
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                          MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                          SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                          SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                          SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA2.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):250
                                                                                                                          Entropy (8bit):3.4916022431157345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                                                          MD5:1A314B08BB9194A41E3794EF54017811
                                                                                                                          SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                                                          SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                                                          SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA3.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):252
                                                                                                                          Entropy (8bit):3.4680595384446202
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                                                          MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                                                          SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                                                          SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                                                          SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDA3.tmp\architecture.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5783
                                                                                                                          Entropy (8bit):7.88616857639663
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                          MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                          SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                          SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                          SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDB4.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):314
                                                                                                                          Entropy (8bit):3.5230842510951934
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                                                          SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                                                          SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                                                          SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDB4.tmp\ieee2006officeonline.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):294178
                                                                                                                          Entropy (8bit):4.977758311135714
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                          MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                          SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                          SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                          SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):278
                                                                                                                          Entropy (8bit):3.5280239200222887
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                                                          SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                                                          SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                                                          SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\gb.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):268317
                                                                                                                          Entropy (8bit):5.05419861997223
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                          MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                          SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                          SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                          SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDD8.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):286
                                                                                                                          Entropy (8bit):3.4670546921349774
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                                                          MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                                                          SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                                                          SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                                                          SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDD8.tmp\ThemePictureAlternatingAccent.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5630
                                                                                                                          Entropy (8bit):7.87271654296772
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                          MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                          SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                          SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                          SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDE9.tmp\APASixthEditionOfficeOnline.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):333258
                                                                                                                          Entropy (8bit):4.654450340871081
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                          MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                          SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                          SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                          SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDE9.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):328
                                                                                                                          Entropy (8bit):3.541819892045459
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                                                          SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                                                          SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                                                          SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDEB.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):290
                                                                                                                          Entropy (8bit):3.5161159456784024
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                                                          SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                                                          SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                                                          SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDEB.tmp\turabian.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):344303
                                                                                                                          Entropy (8bit):5.023195898304535
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                          MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                          SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                          SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                          SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDFD.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):280
                                                                                                                          Entropy (8bit):3.484503080761839
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                                                          MD5:1309D172F10DD53911779C89A06BBF65
                                                                                                                          SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                                                          SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                                                          SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFDFD.tmp\InterconnectedBlockProcess.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9191
                                                                                                                          Entropy (8bit):7.93263830735235
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                          MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                          SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                          SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                          SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE10.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):256
                                                                                                                          Entropy (8bit):3.4842773155694724
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                                                          MD5:923D406B2170497AD4832F0AD3403168
                                                                                                                          SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                                                          SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                                                          SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE10.tmp\ConvergingText.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11380
                                                                                                                          Entropy (8bit):7.891971054886943
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                          MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                          SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                          SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                          SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE40.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):288
                                                                                                                          Entropy (8bit):3.523917709458511
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                                                          SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                                                          SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                                                          SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE40.tmp\chicago.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):296658
                                                                                                                          Entropy (8bit):5.000002997029767
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                          MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                          SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                          SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                          SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE50.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):332
                                                                                                                          Entropy (8bit):3.4871192480632223
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                                                          SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                                                          SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                                                          SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE50.tmp\mlaseventheditionofficeonline.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254875
                                                                                                                          Entropy (8bit):5.003842588822783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                          MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                          SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                          SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                          SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE62.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):302
                                                                                                                          Entropy (8bit):3.537169234443227
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                                                          SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                                                          SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                                                          SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE62.tmp\iso690nmerical.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):217137
                                                                                                                          Entropy (8bit):5.068335381017074
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                          MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                          SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                          SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                          SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE75.tmp\CircleProcess.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16806
                                                                                                                          Entropy (8bit):7.9519793977093505
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                          MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                          SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                          SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                          SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE75.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254
                                                                                                                          Entropy (8bit):3.4720677950594836
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                                                          MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                                                          SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                                                          SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                                                          SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE97.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):242
                                                                                                                          Entropy (8bit):3.4938093034530917
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                                                          MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                                                          SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                                                          SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                                                          SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFE97.tmp\TabList.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4888
                                                                                                                          Entropy (8bit):7.8636569313247335
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                          MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                          SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                          SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                          SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEA9.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):260
                                                                                                                          Entropy (8bit):3.494357416502254
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                                                          MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                                                          SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                                                          SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                                                          SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEA9.tmp\ThemePictureGrid.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6193
                                                                                                                          Entropy (8bit):7.855499268199703
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                          MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                          SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                          SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                          SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEBB.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):290
                                                                                                                          Entropy (8bit):3.5081874837369886
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                                                          SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                                                          SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                                                          SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEBB.tmp\gostname.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):255948
                                                                                                                          Entropy (8bit):5.103631650117028
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                          MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                          SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                          SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                          SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEDB.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):374
                                                                                                                          Entropy (8bit):3.5414485333689694
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                                                          MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                                                          SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                                                          SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                                                          SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEDB.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):47296
                                                                                                                          Entropy (8bit):6.42327948041841
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                          MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                          SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                          SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                          SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEDC.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):292
                                                                                                                          Entropy (8bit):3.5026803317779778
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                                                          SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                                                          SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                                                          SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEDC.tmp\gosttitle.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):251032
                                                                                                                          Entropy (8bit):5.102652100491927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                          MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                          SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                          SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                          SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEF1.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):258
                                                                                                                          Entropy (8bit):3.4692172273306268
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                                                          MD5:C1B36A0547FB75445957A619201143AC
                                                                                                                          SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                                                          SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                                                          SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFEF1.tmp\pictureorgchart.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7370
                                                                                                                          Entropy (8bit):7.9204386289679745
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                          MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                          SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                          SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                          SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF01.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):286
                                                                                                                          Entropy (8bit):3.538396048757031
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                                                          SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                                                          SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                                                          SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF01.tmp\sist02.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):250983
                                                                                                                          Entropy (8bit):5.057714239438731
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                          MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                          SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                          SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                          SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF12.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):256
                                                                                                                          Entropy (8bit):3.464918006641019
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                                                          MD5:93149E194021B37162FD86684ED22401
                                                                                                                          SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                                                          SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                                                          SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF12.tmp\Equations.dotx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51826
                                                                                                                          Entropy (8bit):5.541375256745271
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                          MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                          SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                          SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                          SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF13.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):274
                                                                                                                          Entropy (8bit):3.438490642908344
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                                                          MD5:0F98498818DC28E82597356E2650773C
                                                                                                                          SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                                                          SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                                                          SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF13.tmp\Element design set.dotx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):34415
                                                                                                                          Entropy (8bit):7.352974342178997
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                          MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                          SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                          SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                          SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF24.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):252
                                                                                                                          Entropy (8bit):3.48087342759872
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                                                          MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                                                          SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                                                          SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                                                          SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF24.tmp\PictureFrame.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4326
                                                                                                                          Entropy (8bit):7.821066198539098
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                          MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                          SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                          SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                          SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF25.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):246
                                                                                                                          Entropy (8bit):3.5039994158393686
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                                                          MD5:16711B951E1130126E240A6E4CC2E382
                                                                                                                          SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                                                          SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                                                          SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF25.tmp\TabbedArc.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3683
                                                                                                                          Entropy (8bit):7.772039166640107
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                          MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                          SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                          SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                          SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF55.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):264
                                                                                                                          Entropy (8bit):3.4866056878458096
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                                                          MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                                                          SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                                                          SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                                                          SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF55.tmp\ThemePictureAccent.glox

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6448
                                                                                                                          Entropy (8bit):7.897260397307811
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                          MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                          SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                          SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                          SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF84.tmp\Content.inf

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):286
                                                                                                                          Entropy (8bit):3.5502940710609354
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                                                          MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                                                          SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                                                          SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                                                          SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\TCDFF84.tmp\iso690.xsl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):270198
                                                                                                                          Entropy (8bit):5.073814698282113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                          MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                          SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                          SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                          SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab110.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):222992
                                                                                                                          Entropy (8bit):7.554077961103885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17:jbzqGdpbZ/Mf3h
                                                                                                                          MD5:BD319A6250B64DD23FE11AD48CB75207
                                                                                                                          SHA1:E71E4248B49EF6B09B5AF35D2876A5A539533E75
                                                                                                                          SHA-256:2AC051AC769775A1B15DE0CE1496D3C7370108C25CBA86CC9917494F845C2D39
                                                                                                                          SHA-512:1C1ACAC9D30466953C6E9F5D05936E1223A903E39F1A9D2860D0B159508739A1AFCC4949883C3946AA9C42BD10C0CB3012C36D9C05498468423137D91DDA55B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab121.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):271273
                                                                                                                          Entropy (8bit):7.995547668305345
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                                                          MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                                                          SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                                                          SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                                                          SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab12E3.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3417042
                                                                                                                          Entropy (8bit):7.997652455069165
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                                                          MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                                                          SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                                                          SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                                                          SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab152.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):276650
                                                                                                                          Entropy (8bit):7.66811159187066
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwX:mlZgFtIVVTuDExeWu
                                                                                                                          MD5:6A2A83700B927D7954FCCCABE31262C1
                                                                                                                          SHA1:E891C76EC114CA36325BBB2745DB4A851386585A
                                                                                                                          SHA-256:FB8D6AD2B0DE03D8F9F8B58518947CB5478C52BF053562A35D677C84D00D0490
                                                                                                                          SHA-512:B6600FE57B5F859D75FE5DE8EE05F74866108179198A8ABA3E83D0D4FDC51AF942F0C9A663E4A40B49FC38AC054D68BEB5F26798BE58DD9B450C0F41F992D746
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab1555.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3256855
                                                                                                                          Entropy (8bit):7.996842935632312
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                                                          MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                                                          SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                                                          SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                                                          SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab172.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):230916
                                                                                                                          Entropy (8bit):7.994759087207758
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                                                          MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                                                          SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                                                          SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                                                          SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab173.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):261258
                                                                                                                          Entropy (8bit):7.99541965268665
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                                                          MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                                                          SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                                                          SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                                                          SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab202.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):550906
                                                                                                                          Entropy (8bit):7.998289614787931
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                                                          MD5:1C12315C862A745A647DAD546EB4267E
                                                                                                                          SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                                                          SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                                                          SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab262.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):640684
                                                                                                                          Entropy (8bit):7.99860205353102
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                                                          MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                                                          SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                                                          SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                                                          SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab273.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):723359
                                                                                                                          Entropy (8bit):7.997550445816903
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                                                          MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                                                          SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                                                          SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                                                          SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab2E3.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):698244
                                                                                                                          Entropy (8bit):7.997838239368002
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                                                          MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                                                          SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                                                          SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                                                          SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab41E.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):953453
                                                                                                                          Entropy (8bit):7.99899040756787
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                                                          MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                                                          SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                                                          SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                                                          SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab47D.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1097591
                                                                                                                          Entropy (8bit):7.99825462915052
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                                                          MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                                                          SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                                                          SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                                                          SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab4BE.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1065873
                                                                                                                          Entropy (8bit):7.998277814657051
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                                                          MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                                                          SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                                                          SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                                                          SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab5E9.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310275
                                                                                                                          Entropy (8bit):7.9985829899274385
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                                                          MD5:9C9F49A47222C18025CC25575337A965
                                                                                                                          SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                                                          SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                                                          SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab8AA.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1766185
                                                                                                                          Entropy (8bit):7.9991290831091115
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                                                          MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                                                          SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                                                          SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                                                          SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab8F9.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1881952
                                                                                                                          Entropy (8bit):7.999066394602922
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                                                          MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                                                          SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                                                          SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                                                          SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                                                          C:\Users\user\AppData\Local\Temp\cab9F.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):307348
                                                                                                                          Entropy (8bit):7.996451393909308
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                                                                                          MD5:0EBC45AA0E67CC435D0745438371F948
                                                                                                                          SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                                                                                          SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                                                                                          SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabA0.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):295527
                                                                                                                          Entropy (8bit):7.996203550147553
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                                                          MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                                                          SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                                                          SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                                                          SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabD61.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2527736
                                                                                                                          Entropy (8bit):7.992272975565323
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                                                          MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                                                          SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                                                          SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                                                          SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabDFF.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2591108
                                                                                                                          Entropy (8bit):7.999030891647433
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                                                          MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                                                          SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                                                          SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                                                          SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD32.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31562
                                                                                                                          Entropy (8bit):7.81640835713744
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                                                          MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                                                          SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                                                          SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                                                          SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD43.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):19288
                                                                                                                          Entropy (8bit):7.570850633867256
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                                                          MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                                                          SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                                                          SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                                                          SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD44.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21357
                                                                                                                          Entropy (8bit):7.641082043198371
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                                                          MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                                                          SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                                                          SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                                                          SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD54.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21791
                                                                                                                          Entropy (8bit):7.65837691872985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                                                          MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                                                          SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                                                          SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                                                          SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD55.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22149
                                                                                                                          Entropy (8bit):7.659898883631361
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                                                          MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                                                          SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                                                          SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                                                          SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD7A.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):28911
                                                                                                                          Entropy (8bit):7.7784119983764715
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                                                          MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                                                          SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                                                          SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                                                          SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD7C.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20235
                                                                                                                          Entropy (8bit):7.61176626859621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                                                          MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                                                          SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                                                          SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                                                          SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD7D.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20457
                                                                                                                          Entropy (8bit):7.612540359660869
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                                                          MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                                                          SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                                                          SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                                                          SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD7E.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31835
                                                                                                                          Entropy (8bit):7.81952379746457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                                                          MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                                                          SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                                                          SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                                                          SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD7F.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22008
                                                                                                                          Entropy (8bit):7.662386258803613
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                                                          MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                                                          SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                                                          SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                                                          SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFD8F.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22594
                                                                                                                          Entropy (8bit):7.674816892242868
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                                                          MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                                                          SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                                                          SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                                                          SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDA1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21875
                                                                                                                          Entropy (8bit):7.6559132103953305
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                                                          MD5:E532038762503FFA1371DF03FA2E222D
                                                                                                                          SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                                                          SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                                                          SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDB5.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):34816
                                                                                                                          Entropy (8bit):7.840826397575377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                                                          MD5:62863124CDCDA135ECC0E722782CB888
                                                                                                                          SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                                                          SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                                                          SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDC6.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):35519
                                                                                                                          Entropy (8bit):7.846686335981972
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                                                          MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                                                          SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                                                          SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                                                          SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDC7.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):25314
                                                                                                                          Entropy (8bit):7.729848360340861
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                                                          MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                                                          SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                                                          SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                                                          SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDE8.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26944
                                                                                                                          Entropy (8bit):7.7574645319832225
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                                                          MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                                                          SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                                                          SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                                                          SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDEA.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):33610
                                                                                                                          Entropy (8bit):7.8340762758330476
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                                                          MD5:51804E255C573176039F4D5B55C12AB2
                                                                                                                          SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                                                          SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                                                          SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDEC.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31008
                                                                                                                          Entropy (8bit):7.806058951525675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                                                          MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                                                          SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                                                          SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                                                          SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDFE.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30957
                                                                                                                          Entropy (8bit):7.808231503692675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                                                          MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                                                          SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                                                          SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                                                          SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFDFF.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31083
                                                                                                                          Entropy (8bit):7.814202819173796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                                                          MD5:89A9818E6658D73A73B642522FF8701F
                                                                                                                          SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                                                          SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                                                          SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE51.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):21111
                                                                                                                          Entropy (8bit):7.6297992466897675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                                                          MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                                                          SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                                                          SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                                                          SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE63.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22340
                                                                                                                          Entropy (8bit):7.668619892503165
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                                                          MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                                                          SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                                                          SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                                                          SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE64.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):19893
                                                                                                                          Entropy (8bit):7.592090622603185
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                                                          MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                                                          SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                                                          SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                                                          SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE74.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31605
                                                                                                                          Entropy (8bit):7.820497014278096
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                                                          MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                                                          SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                                                          SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                                                          SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE76.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20554
                                                                                                                          Entropy (8bit):7.612044504501488
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                                                          MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                                                          SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                                                          SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                                                          SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE98.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42788
                                                                                                                          Entropy (8bit):7.89307894056
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                                                          MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                                                          SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                                                          SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                                                          SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFE99.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):46413
                                                                                                                          Entropy (8bit):7.9071408623961394
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                                                          MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                                                          SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                                                          SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                                                          SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFEBA.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31482
                                                                                                                          Entropy (8bit):7.808057272318224
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                                                          MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                                                          SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                                                          SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                                                          SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFEDD.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31471
                                                                                                                          Entropy (8bit):7.818389271364328
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                                                          MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                                                          SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                                                          SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                                                          SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFEDE.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):43653
                                                                                                                          Entropy (8bit):7.899157106666598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                                                          MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                                                          SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                                                          SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                                                          SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFEDF.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):23597
                                                                                                                          Entropy (8bit):7.692965575678876
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                                                          MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                                                          SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                                                          SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                                                          SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                                                          C:\Users\user\AppData\Local\Temp\cabFEF0.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32833
                                                                                                                          Entropy (8bit):7.825460303519308
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                                                          MD5:205AF51604EF96EF1E8E60212541F742
                                                                                                                          SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                                                          SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                                                          SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30
                                                                                                                          Entropy (8bit):1.2389205950315936
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:+V/X:+
                                                                                                                          MD5:7A893CC694B7FFB94FA312DDE17F033E
                                                                                                                          SHA1:D835D3ABD987E8C8C9EB5BF895889B5921290386
                                                                                                                          SHA-256:C4D64F0E1075D7D4A7E08150B0E49A69CD621B78EAFCB76D1677D6F025A56FCA
                                                                                                                          SHA-512:5122F1280C5FC9206F9E47F442EC7335F01BFF534EAD720326F4ED9EE9375668DECE43BF3F5D0F106C881083B6462EDD68B18344BE5BF9E3F2B70973B66DFBC8
                                                                                                                          Malicious:false
                                                                                                                          Preview:..............................

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 3 10:35:45 2024, mtime=Tue Dec 3 10:35:51 2024, atime=Mon Dec 2 20:13:15 2024, length=230038, window=hide
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):600
                                                                                                                          Entropy (8bit):4.548538583005189
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:4xtQl3K8Flatl0kl//aRKOLkjO/RKOLWt+IcccljAlxx23LXlIRo3wTymwy1avGc:8dRl0sXaAk/AkhcUjAULXlAwy1BmV
                                                                                                                          MD5:E2603C5F89B6A7947F6F0B0F85E36BEF
                                                                                                                          SHA1:874ED1685C61FEB2DFDA969B276532F6DB7FA9A6
                                                                                                                          SHA-256:17E679C7E471840E3BAF5C0B48DAFABC281F45D4A1A399F68F152FF1581185E9
                                                                                                                          SHA-512:D64796BF13C207A90386D32B959A485558FD74BB60563C8309E19AE3BE29E8F313D5BEFD981E84348EA650A13B30053BDBC3D387A1909B473ED76F85F17D7E05
                                                                                                                          Malicious:false
                                                                                                                          Preview:L..................F.... ....t.}wE....}.wE......D...............................P.O. .:i.....+00.../C:\...................P.1......Yw\..intel.<......Yw\.Yw\............................B.i.n.t.e.l.....Z.2......Y.. .DOC~1.DOC.B......Yw\.Yw\..........................,dE.D.o.c...d.o.c.x.......@...............-.......?............F.......C:\intel\Doc.docx..#.....\.....\.....\.....\.....\.....\.....\.i.n.t.e.l.\.D.o.c...d.o.c.x.`.......X.......226546...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Generic INItialization configuration [folders]
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41
                                                                                                                          Entropy (8bit):4.247557492317427
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:HqdLBCm4UcBCv:HA9hGs
                                                                                                                          MD5:CE7BCCD008058E0D96C85995FABBDC9F
                                                                                                                          SHA1:939A8927196DC4C5E90B32234C1484B72052F5A1
                                                                                                                          SHA-256:2AD83E8B46EF787ABC53DC07C6D648975AF14441067BCC46017DA2B1A3DEE6CC
                                                                                                                          SHA-512:6D2B32C16C0B0E330EDC39C20F0666CC128F5A16D82E34837D7951FE71E02B8A5BA20CD3F0ECAA58D570B110FFCCA113FC87D4CA5C4ACBE3B557B21F20CAB872
                                                                                                                          Malicious:false
                                                                                                                          Preview:[misc]..Doc.LNK=0..[folders]..Doc.LNK=0..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):562113
                                                                                                                          Entropy (8bit):7.67409707491542
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                          MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                          SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                          SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                          SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1649585
                                                                                                                          Entropy (8bit):7.875240099125746
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                          MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                          SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                          SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                          SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):558035
                                                                                                                          Entropy (8bit):7.696653383430889
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                          MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                          SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                          SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                          SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):523048
                                                                                                                          Entropy (8bit):7.715248170753013
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                          MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                          SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                          SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                          SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3078052
                                                                                                                          Entropy (8bit):7.954129852655753
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                          MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                          SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                          SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                          SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):777647
                                                                                                                          Entropy (8bit):7.689662652914981
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                          MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                          SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                          SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                          SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):924687
                                                                                                                          Entropy (8bit):7.824849396154325
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                          MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                          SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                          SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                          SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):966946
                                                                                                                          Entropy (8bit):7.8785200658952
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                          MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                          SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                          SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                          SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1204049
                                                                                                                          Entropy (8bit):7.92476783994848
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                          MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                          SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                          SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                          SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):976001
                                                                                                                          Entropy (8bit):7.791956689344336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                          MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                          SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                          SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                          SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1463634
                                                                                                                          Entropy (8bit):7.898382456989258
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                          MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                          SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                          SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                          SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2218943
                                                                                                                          Entropy (8bit):7.942378408801199
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                          MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                          SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                          SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                          SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1750795
                                                                                                                          Entropy (8bit):7.892395931401988
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                          MD5:529795E0B55926752462CBF32C14E738
                                                                                                                          SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                          SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                          SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2924237
                                                                                                                          Entropy (8bit):7.970803022812704
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                          MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                          SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                          SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                          SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2357051
                                                                                                                          Entropy (8bit):7.929430745829162
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                          MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                          SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                          SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                          SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3611324
                                                                                                                          Entropy (8bit):7.965784120725206
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                          MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                          SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                          SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                          SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1091485
                                                                                                                          Entropy (8bit):7.906659368807194
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                          MD5:2192871A20313BEC581B277E405C6322
                                                                                                                          SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                          SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                          SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):608122
                                                                                                                          Entropy (8bit):7.729143855239127
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                          MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                          SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                          SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                          SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5783
                                                                                                                          Entropy (8bit):7.88616857639663
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                          MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                          SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                          SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                          SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4026
                                                                                                                          Entropy (8bit):7.809492693601857
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                          MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                          SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                          SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                          SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4243
                                                                                                                          Entropy (8bit):7.824383764848892
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                          MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                          SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                          SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                          SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16806
                                                                                                                          Entropy (8bit):7.9519793977093505
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                          MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                          SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                          SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                          SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11380
                                                                                                                          Entropy (8bit):7.891971054886943
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                          MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                          SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                          SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                          SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6024
                                                                                                                          Entropy (8bit):7.886254023824049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                          MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                          SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                          SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                          SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9191
                                                                                                                          Entropy (8bit):7.93263830735235
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                          MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                          SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                          SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                          SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4326
                                                                                                                          Entropy (8bit):7.821066198539098
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                          MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                          SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                          SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                          SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7370
                                                                                                                          Entropy (8bit):7.9204386289679745
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                          MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                          SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                          SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                          SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5596
                                                                                                                          Entropy (8bit):7.875182123405584
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                          MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                          SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                          SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                          SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3683
                                                                                                                          Entropy (8bit):7.772039166640107
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                          MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                          SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                          SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                          SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4888
                                                                                                                          Entropy (8bit):7.8636569313247335
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                          MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                          SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                          SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                          SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6448
                                                                                                                          Entropy (8bit):7.897260397307811
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                          MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                          SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                          SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                          SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5630
                                                                                                                          Entropy (8bit):7.87271654296772
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                          MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                          SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                          SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                          SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6193
                                                                                                                          Entropy (8bit):7.855499268199703
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                          MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                          SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                          SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                          SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3075
                                                                                                                          Entropy (8bit):7.716021191059687
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                          MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                          SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                          SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                          SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft OOXML
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5151
                                                                                                                          Entropy (8bit):7.859615916913808
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                          MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                          SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                          SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                          SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):333258
                                                                                                                          Entropy (8bit):4.654450340871081
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                          MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                          SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                          SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                          SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):296658
                                                                                                                          Entropy (8bit):5.000002997029767
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                          MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                          SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                          SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                          SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):268317
                                                                                                                          Entropy (8bit):5.05419861997223
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                          MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                          SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                          SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                          SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):255948
                                                                                                                          Entropy (8bit):5.103631650117028
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                          MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                          SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                          SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                          SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):251032
                                                                                                                          Entropy (8bit):5.102652100491927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                          MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                          SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                          SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                          SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):284415
                                                                                                                          Entropy (8bit):5.00549404077789
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                          MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                          SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                          SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                          SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):294178
                                                                                                                          Entropy (8bit):4.977758311135714
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                          MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                          SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                          SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                          SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):270198
                                                                                                                          Entropy (8bit):5.073814698282113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                          MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                          SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                          SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                          SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):217137
                                                                                                                          Entropy (8bit):5.068335381017074
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                          MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                          SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                          SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                          SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254875
                                                                                                                          Entropy (8bit):5.003842588822783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                          MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                          SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                          SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                          SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):344303
                                                                                                                          Entropy (8bit):5.023195898304535
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                          MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                          SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                          SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                          SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):250983
                                                                                                                          Entropy (8bit):5.057714239438731
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                          MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                          SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                          SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                          SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51826
                                                                                                                          Entropy (8bit):5.541375256745271
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                          MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                          SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                          SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                          SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):47296
                                                                                                                          Entropy (8bit):6.42327948041841
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                          MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                          SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                          SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                          SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):34415
                                                                                                                          Entropy (8bit):7.352974342178997
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                          MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                          SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                          SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                          SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3465076
                                                                                                                          Entropy (8bit):7.898517227646252
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                          MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                          SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                          SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                          SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DE3L0QON4M2Z738G8JZ4.temp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12
                                                                                                                          Entropy (8bit):0.41381685030363374
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:/l:
                                                                                                                          MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                          Malicious:false
                                                                                                                          Preview:............

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VPYT69F6BYGW1OB4GSTV.temp

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12
                                                                                                                          Entropy (8bit):0.41381685030363374
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:/l:
                                                                                                                          MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                          Malicious:false
                                                                                                                          Preview:............

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12
                                                                                                                          Entropy (8bit):0.41381685030363374
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:/l:
                                                                                                                          MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                          Malicious:false
                                                                                                                          Preview:............

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2d3c1.TMP (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):12
                                                                                                                          Entropy (8bit):0.41381685030363374
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:/l:
                                                                                                                          MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                          Malicious:false
                                                                                                                          Preview:............

                                                                                                                          C:\Windows\Installer\47ca2c.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26864640
                                                                                                                          Entropy (8bit):7.924911310016854
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                          MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                          SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                          SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                          SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                          C:\Windows\Installer\47ca2f.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26864640
                                                                                                                          Entropy (8bit):7.924911310016854
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                          MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                          SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                          SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                          SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                          C:\Windows\Installer\MSICEDF.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):169896
                                                                                                                          Entropy (8bit):6.068969720857241
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:jqSoP/44Yvge5XKhpKJJdu+ew+BZPHbN2e9n2p+:j5g/ve5XKhMVJSIun6+
                                                                                                                          MD5:B5ADF92090930E725510E2AAFE97434F
                                                                                                                          SHA1:EB9AFF632E16FCB0459554979D3562DCF5652E21
                                                                                                                          SHA-256:1F6F0D9F136BC170CFBC48A1015113947087AC27AED1E3E91673FFC91B9F390B
                                                                                                                          SHA-512:1076165011E20C2686FB6F84A47C31DA939FA445D9334BE44BDAA515C9269499BD70F83EB5FCFA6F34CF7A707A828FF1B192EC21245EE61817F06A66E74FF509
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L.....,a...........!.....p...$......................................................U..................................m............`..p............x.......p..........................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\MSID096.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1447471
                                                                                                                          Entropy (8bit):4.935932371155191
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:eMMMMMMSLLLLLLLFMMMMMMSLLLLLLLsMMMMMMSLLLLLLLi:eMMMMMMSLLLLLLLFMMMMMMSLLLLLLLsb
                                                                                                                          MD5:5668860EC9C2FB84F40BDFC8DC7DB431
                                                                                                                          SHA1:37D85723B7CEA464141A5E16AB504560B7292B2D
                                                                                                                          SHA-256:027906E6CF5C7677C49D074A14681F9AEED589C1EBCB41B4D8EA77A234422AF8
                                                                                                                          SHA-512:CE9CE625DA10B96BEB2AE85F251384EC0385E1483BB69F45D560B259C8AEE232DDE232C3446BC21AB4DB3D63C6FF6DEA5CADADFD7DACC4B84DA3B062CBCDA388
                                                                                                                          Malicious:false
                                                                                                                          Preview:...@IXOS.@.....@y4.Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.]....@.......@........ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2....@.....@.....@.]....&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}8.C:\Program Files (x86)\Remote Manipulator System - Host\.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}...@.......@.....@.....@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}...@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}D.C:\Program Files (x86)\Remote Manip

                                                                                                                          C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.1611477327538005
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:JSbX72FjaEQAGiLIlHVRpzh/7777777777777777777777777vDHF5t07x6uPp0V:JSQI53vt016uy8F
                                                                                                                          MD5:3A06CFFF4D27BD203B0CB3603C32A3E5
                                                                                                                          SHA1:239E65BFFB870A6A288E3627E50A8AD03F7F136A
                                                                                                                          SHA-256:CD321E7E44489203BE070E23F1EA6B7E98E720117D0376E7458307A93138E0C7
                                                                                                                          SHA-512:71778410A9D6D26599FBAAAE191491D5790956E9A18B58B8CA58CADE5B135CCAD588AB1FDC991B4AD9E8EF6350EA5B76990525FC0481245DC98594B91331903B
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.9253505197720553
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:x8PhhuRc06WXOcnT5ySSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOdS:Mhh1anTESUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:8D6627A9D97F54225AF7782813922813
                                                                                                                          SHA1:081CD7A4E1DC8BA9BF9A597C7E78CBEE40A808F8
                                                                                                                          SHA-256:F282CBB6E64CB44E215CF1F11C081A99A4FB7F2074EE0FF0C5215D3734CDDEB3
                                                                                                                          SHA-512:AE99EB62AFFBFE12A5741561BC256BC969E0B0438178B744FDF3E947C83A4A07C27F6AA808093090E7B5492FD334A282C3BB5E66ACEA8C85A53EECB05E7E166D
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):79000
                                                                                                                          Entropy (8bit):5.817675016279098
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:/MAyYdTmPJbgqcnDckJ42T1IPAMxkEo2T1OtoAMxkEbK:/1U81ckJ52xVPxnK
                                                                                                                          MD5:E8CBBBE641AA6205C0E028CE7DC72CFE
                                                                                                                          SHA1:E845FB6044E5F611F4F990B76AA4762FAB6E96C9
                                                                                                                          SHA-256:61481606FE3FF53C9483586B4A95181D96F5679667ACCD582166069B10233D77
                                                                                                                          SHA-512:D12E6BBA83F1B41BB2B937B315C5CDD3ADFA60C318AD1E958D99251822810739D2C6EC75B664BBC3116B0CDBBBFA4BEBA234B8C604F303391E21CDA0C24767E5
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.........................................................................4T..(.......t0...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...t0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70808
                                                                                                                          Entropy (8bit):5.60723121147002
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:RdMAyYdTmPJbgqcnDc/soJP2T1qAMxkEvQ2T1h8uAMxkE4:/1U81cLJOGxF/hxM
                                                                                                                          MD5:F0F36966AD2B91DBE0C8B9D4E0A1AB0E
                                                                                                                          SHA1:B7787445DDD42A3B4753AFC0B02B270DDC1693FC
                                                                                                                          SHA-256:BE3C9594F315F2CE2698DFF54F7B41F012B25BF208DD88CEA7AC92936EC84AE9
                                                                                                                          SHA-512:B178A35B3F0A3CA67D632901C1F0AF309F51267DFA827AE029475C63BCF2BA51694C717C94989D7E457E915DAE74B43C3C6B405113249A7B1FF0E9BAE67E0949
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...`...............P....@.........................................................................4T..(.......\................d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...\........ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):423064
                                                                                                                          Entropy (8bit):4.6899574334599645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:c1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLL+:UjcT6uuuutMMMMMMSLLLLLLLeYTZg
                                                                                                                          MD5:6A9AA00C428A946F9A5C5546A458ECA0
                                                                                                                          SHA1:06A70B197DEE2FC106576C6719CFF046D2747396
                                                                                                                          SHA-256:16601981E37F2FE16B8E0EA4626ABF57013458B63D1A71C8FA3B5080F3C191F5
                                                                                                                          SHA-512:EADDEE089D18ED744BB1DCAAA98A8F6E201022432C55D037D2A7EF994532197EF595E44DEEF9DB0CFAE8ACA50F4AB90CEEDB49F8E920E6B4FAF6C60B6EFEDD51
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................v.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):423064
                                                                                                                          Entropy (8bit):4.690218208041496
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:R1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLe:DjcT6uuuutMMMMMMSLLLLLLLeYuGVk
                                                                                                                          MD5:AB85C5EEAD096C4E5D0A2914C24F59B2
                                                                                                                          SHA1:E189F9BA583B0A4EEE1C817C9DA8A5D72A038A83
                                                                                                                          SHA-256:F4F656CC3CD99ABC4CFC1A70BD77C52E36D59852987BE530E131CEF8238F4BA7
                                                                                                                          SHA-512:E70ACF9FCA9F0378FAC97421550984FF166D8D1D83F423400B108E804CA876EA6D7517398637D64C34CC0E46C14048BB9F50C8268D993FA983DB6B0E44A9C352
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................>.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):423064
                                                                                                                          Entropy (8bit):4.690232052098797
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:o1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLU:IjcT6uuuutMMMMMMSLLLLLLLeYFuv
                                                                                                                          MD5:03A18CE97AA1C45D834524B8A408BC17
                                                                                                                          SHA1:72ABD8B4AC974928684B6D089F8573C70D431808
                                                                                                                          SHA-256:0ACFCA29B6128E0161B4E6D93FFF7686A96128016846625763DAB7F9CE059DEF
                                                                                                                          SHA-512:2A2DC903E4179EC83BB4FA557FFCCE8BA3D8FC175E9C817D34BA186704ECF06A281D96D35B12B8D54FE35683030942FDC9A3A1FDFDBEAA755A60436F3C7B3483
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@........................................................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):432221
                                                                                                                          Entropy (8bit):5.375176813463349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau5:zTtbmkExhMJCIpErk
                                                                                                                          MD5:F2778C6C57966B06A72DAC740342C994
                                                                                                                          SHA1:01003F35BD2E68C1FBFE1D444D202390A8DD32AE
                                                                                                                          SHA-256:1B8053FE84208D2048250F50E69983A489FF177047307CE3F9D5D0B54466E612
                                                                                                                          SHA-512:93D95145647DBE93E89D0EBF58C19B98F9E50B70310456C47621BC5CFE3F1CD9C9D25F908CEAB293315740EC742E8E476D4528510EA43335E351D130BFFABE1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55
                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6544
                                                                                                                          Entropy (8bit):6.434448498189496
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ER788fedNBkYmpEiaDE5XFO06rYCqRXUBQv/dcM:JvdMEiaDE5XMrhQv/db
                                                                                                                          MD5:FA3FFA1C6010CDB56CFADEF6AE94FC25
                                                                                                                          SHA1:294F2B24C1EA412A47801EE1AFE9778450AFDE58
                                                                                                                          SHA-256:E61CB68D602235B3B448499CFB34E641B25F54E5199A617FA40D85D0A954113C
                                                                                                                          SHA-512:5A8F8A4166BDA7858E8C598249A374CD4337E204F2A86775A675261A63AC004BC6F7738BB42E9575FC8315F2170D56A93DB5B26672CA9AA005D99515560F3B0D
                                                                                                                          Malicious:false
                                                                                                                          Preview:0...0..t...0...*.H........0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign GCC R45 CodeSigning CA 2020..241203082457Z..241210082456Z0...0...$....oZ&....240813120056Z0...z..t{..|...210126064802Z0...b.....$......210222211006Z0...KOY7A.HI.._e..210222211004Z0...r..'wi..]..n..210222211002Z0....&......e...210222212203Z0...s..........S..210222212205Z0...<.r8>.,......240904080004Z0....!.Z.j.....o..240906101526Z0...&e.....U.....240916183602Z0...2p'.]A..AL..210225044747Z0+...>.".K.y..<...210226150613Z0.0...U.......0...6..C..M.1...210308171016Z0...5.L<ea..X|.e..210326070003Z0......%...R~..v..210528124802Z0...wP...:^....M..210709151203Z0...i#c~c...x0W...210406072402Z0...H.....?..a...210428153602Z0+..s...O...a.I..210503115753Z0.0...U.......0...Y.Y....^.^...210524083602Z0+....iW..(v..9...210604033751Z0.0...U.......0...~.T..!...h.}..210604164111Z0......q..k.0.u...210615133333Z0...\C...."{......210621174758Z0..._Kx.B.........210622165609Z0...*..U...$......210712152133Z0

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1712
                                                                                                                          Entropy (8bit):7.607072872097237
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Vk1IRjhPyjI5w6GlktA7FPSGBAS7jF78oekZdCrphruWeI8h6FfymkBZGfKkamou:HwI66lKpj9BdCusxIsfLamo3T6
                                                                                                                          MD5:92B4768535FBAE2B8196873594AC03B3
                                                                                                                          SHA1:D2C252C68467CFE5CF09AD4565F8CC68FD39691D
                                                                                                                          SHA-256:FE9A668474C969291050953E87A2684F5B9E5AA6368D0CC83FBDF70FF824448E
                                                                                                                          SHA-512:607E281D338AB15F2D79B6D06EDB795649866A22B09C7ED2782D8DFFE084492C1737866E6DA89C533406EDD7AA9AEF6E8CD1135D6ADB96941B3C48CDB384C80C
                                                                                                                          Malicious:false
                                                                                                                          Preview:0..........0.....+.....0......0...0..........j.....*.t......*..20241203090447Z0s0q0I0...+..............B..M.%..Dg..5 .....F...x9...C.VP..;..w.......T..r...G....20241203090447Z....20241207090446Z0...*.H...............M.w.wo.eo..2).?#V.*g....0.......V.:....q....b......Fl..\...v1q.?.#.Ig.....Tk.x..O.@..<V..Z.:.5.e.IA.2Wo..^*s...j.7.].[.$.&.h.|....p..&yf.?..."......k..!w.....$8.5?.j.].a:`fId.+.,=.@}b.-.=W.g.p..@..Q......s.. .f.'..|a.....[.....%..>..%..z.p....0...0...0............|.w.7@$.L.!...0...*.H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...240717031756Z..250215000000Z0g1.0...U....BE1.0...U....GlobalSign nv-sa1=0;..U...4GlobalSign Code Signing Root R45 - OCSP 1.2 202411070.."0...*.H.............0............U...;..pc+..o.K..0...6.'...F.C..}.....%E..F.q.-\.u{..$.....#8.,{...^OEQ..P..~ZU..f.0........Ky+..(..q.............sy...e.0...Z.]X1.A....z.....g.p.{.~,u.0R..f.SOx".Q_.{......`T.&[&2..P|.......h.Z(A;.3.]$...k`.

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1680
                                                                                                                          Entropy (8bit):7.635594904919675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+s22iB+5Ee7nIxCw5DgSUnpU446J8WpNTE:FBEe7n4Cw5MSiw6mOTE
                                                                                                                          MD5:30702139B253AC040B4F6900E4C03D92
                                                                                                                          SHA1:44FEDAD665DFD1B137A72BB3541F7E27807DDFED
                                                                                                                          SHA-256:515131C7A4A22310E01FAA9CA6D5CAFE548EE65C2E782CF568326CE79F8A3FE7
                                                                                                                          SHA-512:F5DF6395AAE6BBA6293AC3ADA333D7BD6CE176BB4F637BB160E7D8138EBA09C60D1C7F7E8AB8CD2A5106610FC2FF2ADB0B024BA7AA89E6DC91359BE002ED8211
                                                                                                                          Malicious:false
                                                                                                                          Preview:0..........0.....+.....0.....r0..n0............`...H,.&...=...20241203085020Z0o0m0E0...+...........r...nK..._..[.Q.....$..kw...Y.!gdv.x..vF...M...k3....20241203085020Z....20241207085019Z0...*.H.............w..b..k.|.^......;...c..._..x..Z..8..i..h....c....A1.....:..h.....b<...^,..M].....1....w$;......T.tt....Sp[....>>.......Pc.....V..x.....oes.->[.<....2.Q-._..C.._E....%I....?.....% Q..K.........X..3....]....D.`..p.bJ.....>i.>e......`^..&L.F;T....0...0...0..........f3...z.....0...*.H........0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign GCC R45 CodeSigning CA 20200...240920234113Z..241221234112Z0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'gsgccr45codesignca2020CA OCSP Responder0.."0...*.H.............0.........+..6b.I...$...f.C.K?}.s...r;.y.m,]q.....@.N.2..x.F5Y........%.).....>.yH.....*.\.9.<..ns..,..jQ.....~..V.N..Y.........8.a..Rg..A3....[.p<......by..Y.y...9....7%.%.i$..I..T~........2i....R..rW..~.!..e...;....\.9;<L.._..I.Fe.

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1435
                                                                                                                          Entropy (8bit):7.51240291197171
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qlcjIZwlo1qArihPbKyRWgpNORwfF7YpQfvmE1yPq8hruWa2tHP+HLuuDXXWLaH:Uuy1qAcPbKyRbORK9q3nPq4uRY4Luubf
                                                                                                                          MD5:5DDAFAD7EE6F36F6CF63DF5DFE280C83
                                                                                                                          SHA1:80E584013D12B2F9E9CA6B1AC3081FD1B9896E64
                                                                                                                          SHA-256:D15A5AD725BA84872905861C70C0BCE784C22E5B16D6274D41FB70911758FE3B
                                                                                                                          SHA-512:EE772B4AEB153574917190F58356C905414ED38BE7FAFB837EE7F82960BC58B77F5D26C99E6AE696E370AD1E8F1B0411046E47C8F97AB87B3068D8423D331FA6
                                                                                                                          Malicious:false
                                                                                                                          Preview:0..........0.....+.....0.....}0..y0......$L..|6..h(4.]........20241203074800Z0s0q0I0...+..........h.$..*y.u.3.V..G.....K...E$.MP.c.........x..BEp.A.o...T....20241203074800Z....20241207074759Z0...*.H...................6.c...>...8.......)L....dc.X=..J.#.Tz. U...w....iA...8.......A..4?.&./-E...5..EBB...~.e..dE`.'......<*#..fE.........|.L8......w.8v.A......8.."y=?;O.8...n.%.7x....P..%|..$...."_gw.CBn.{. ..M.B../5.....fk.[_+. u..;N..`.Xu.XK..G@.[x^....%.....0...0...0............|.X........-..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...240717031720Z..250215000000Z0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign Root R3 - OCSP 1.2 202411070.."0...*.H.............0..........U\m..$*.o@E.<.c.*.).S..L...HN.<W|.F .........h...zo..vk..%M.".j.P..U!/..v.Th.R..(.i..$P....^l..@qe....q.l..6....cB.:.;.KU......J..*>.....$..(.h J.6;.....N..(r).i.*...o.<-..c..2.]<.7r.../.Ni..}q...8B.LT./'...=b.>....C........"..

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):222
                                                                                                                          Entropy (8bit):2.970200853694354
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:kkFklb4Ag+M1fllXlE/3Plkl+e7R8rHelJlWlLltUKlrlxUXW4mgelSlj:kK7A7MG2l+e7pWhliKxlxUDmgrj
                                                                                                                          MD5:619E6E415848609C7036696B698DA9D7
                                                                                                                          SHA1:9BA5DC12D2F494DFACB0B5E104A4C1BD0207B280
                                                                                                                          SHA-256:616302B00A086B89DC6CFE2E32FD2457935BAFE7C18C0444B97BB321D91E96F4
                                                                                                                          SHA-512:5A4E4F9431311FCAC61D053CA49D0E849D4A0A85E7B532464E8AC0189379ADB5651F9DF3D361048D7645DFFFD9B3B24DEB34D87B35AA5FF343EEE78D20C1BA87
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ....j.....I.xE..(....................................................... .........*.\E...........[.O........h.t.t.p.:././.c.r.l...g.l.o.b.a.l.s.i.g.n...c.o.m./.g.s.g.c.c.r.4.5.c.o.d.e.s.i.g.n.c.a.2.0.2.0...c.r.l...

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):532
                                                                                                                          Entropy (8bit):4.029042231176514
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:lyw/zEDWzJqe3KQj22iv8sFF1gUeMalCrlQNlVgfMk21PUJS:XzEDgJRjYvP+U7uCKlCMmI
                                                                                                                          MD5:83E610AF5BEA1A2DA8F3D1A78B7B9B4D
                                                                                                                          SHA1:850372DCDC20D81FD0801CC5E8B5DA41315E5EF8
                                                                                                                          SHA-256:EE374C058F7828418F46C500259078A871F2AC06EAD5B2FCD8DE7E11A8B51457
                                                                                                                          SHA-512:D631668593CEC564355C35ABAE9B9CCE9911F2E7F5155FE1B57AA70C332FECB4301082D122112DCB3B9D67E6F279B128BCDF9B9052096CDC8A78F1913C1310B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ....J....,b.xE..(.................fbE...K...H...................K...H.. .........fbE......V.....y.........h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.V.F.Z.P.5.v.q.h.C.r.t.R.N.5.S.W.f.4.0.R.n.6.N.M.1.I.A.Q.U.H.w.C.%.2.F.R.o.A.K.%.2.F.H.g.5.t.6.W.0.Q.9.l.W.U.L.v.O.l.j.s.C.E.H.e.9.D.g.O.h.t.w.j.4.V.K.s.G.c.h.D.Z.B.E.c.%.3.D...".d.2.c.2.5.2.c.6.8.4.6.7.c.f.e.5.c.f.0.9.a.d.4.5.6.5.f.8.c.c.6.8.f.d.3.9.6.9.1.d."...

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):544
                                                                                                                          Entropy (8bit):3.971529669877695
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:p+qzSfDWzf79bLgLzK8sFAY6ealztksMqr+YCqN:PzuDgz9YLmvqY6mqr1N
                                                                                                                          MD5:999C6FEB953D51A2FE87BEC9D27D4E2A
                                                                                                                          SHA1:4CD747402C01AECC1BA97E70986F78CE778BD029
                                                                                                                          SHA-256:98310D418FB8500B4C3358904BCC4069E43F873CE3C3DC088405524DD33D0974
                                                                                                                          SHA-512:F96B9B4A6F36234512A40A963EAFCB1F17388B5D1DF623A2ED30FAEB95A2ED2A76C4A212FC846FCAF60EDB093FAEC5144F2D5E6EB9B5DFF2B5505A777D86327E
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ....V......xE..(..................a`E.......H.......................H.. ..........a`E......V...-.4.........h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.g.s.g.c.c.r.4.5.c.o.d.e.s.i.g.n.c.a.2.0.2.0./.M.E.0.w.S.z.B.J.M.E.c.w.R.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.L.u.A.3.y.g.n.K.W.%.2.F.7.x.u.S.x.%.2.F.0.9.F.%.2.B.h.H.V.u.E.U.Q.Q.U.2.r.O.N.w.C.S.Q.o.2.t.3.0.w.y.g.W.d.0.h.Z.2.R.2.C.3.g.C.D.H.Z.G.D.p.D.i.h.E.2.3.%.2.B.Y.N.r.M.w.%.3.D.%.3.D...".4.4.f.e.d.a.d.6.6.5.d.f.d.1.b.1.3.7.a.7.2.b.b.3.5.4.1.f.7.e.2.7.8.0.7.d.d.f.e.d."...

                                                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):508
                                                                                                                          Entropy (8bit):4.03794965319668
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:R/2zRzqdDWzFU8iv8sFt4QAfROA/pULzWGuUlslcl5j:RozMDgFUhv/ofROS6LtuUycl5j
                                                                                                                          MD5:41D9EA6F7334A5A398355CFFB1F4C16F
                                                                                                                          SHA1:0DDEE1B128BC60F0FC4E27C13E71038144EADB36
                                                                                                                          SHA-256:694358AB49E269C2A8F34FC63C507435F66990D41CC329D6EE02DF0FE37FE724
                                                                                                                          SHA-512:9F2CC1D9EAC1F7779D6128AC5D1D044A205F85F16B869182A4EA3B82A97C94E7072832E87A74412B10447B3831C91CB5B60B2D3C2ADE7621457C96B642780014
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ....2....lO.xE..(................x..WE.....U|H.....................U|H.. ........x..WE......V...%.)8........h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.r.o.o.t.r.3./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.1.n.G.h.%.2.F.J.B.j.W.K.n.k.P.d.Z.I.z.B.1.b.q.h.e.l.H.B.w.Q.U.j.%.2.F.B.L.f.6.g.u.R.S.S.u.T.V.D.6.Y.5.q.L.3.u.L.d.G.7.w.C.E.H.g.D.G.E.J.F.c.I.p.B.z.2.8.B.u.O.6.0.q.V.Q.%.3.D...".8.0.e.5.8.4.0.1.3.d.1.2.b.2.f.9.e.9.c.a.6.b.1.a.c.3.0.8.1.f.d.1.b.9.8.9.6.e.6.4."...

                                                                                                                          C:\Windows\Temp\~DF032301BAEE5CC0A1.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF0C9AA364037DE754.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.9253505197720553
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:x8PhhuRc06WXOcnT5ySSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOdS:Mhh1anTESUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:8D6627A9D97F54225AF7782813922813
                                                                                                                          SHA1:081CD7A4E1DC8BA9BF9A597C7E78CBEE40A808F8
                                                                                                                          SHA-256:F282CBB6E64CB44E215CF1F11C081A99A4FB7F2074EE0FF0C5215D3734CDDEB3
                                                                                                                          SHA-512:AE99EB62AFFBFE12A5741561BC256BC969E0B0438178B744FDF3E947C83A4A07C27F6AA808093090E7B5492FD334A282C3BB5E66ACEA8C85A53EECB05E7E166D
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF147A5819C5CC00AF.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.5180370062079536
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PwZuUNvcFXOzT5XUkyjSSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOo:YZMuTZtYSUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:0D783AF1FD3F0AB59CE1F1171E2AEB6D
                                                                                                                          SHA1:8FF5AADF7FAE8B9243497662E1E445122FBFD257
                                                                                                                          SHA-256:A1A68A3D0693BA42EE4B8EE53B5B8A71D8CA22468F290D261FBD68E3403F2630
                                                                                                                          SHA-512:27E80EAD40EE7B8E1A1105B5DD2138F5BE4D57E1AD527B22D8421EA2F515051A4C3809D45DE43A303B2BEBF08DFF6ADA3A0B95B6D13DB53EFC478D0C57761F16
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF2113E5A6CD2250A6.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF36EF3691E19BC02C.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.5180370062079536
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PwZuUNvcFXOzT5XUkyjSSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOo:YZMuTZtYSUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:0D783AF1FD3F0AB59CE1F1171E2AEB6D
                                                                                                                          SHA1:8FF5AADF7FAE8B9243497662E1E445122FBFD257
                                                                                                                          SHA-256:A1A68A3D0693BA42EE4B8EE53B5B8A71D8CA22468F290D261FBD68E3403F2630
                                                                                                                          SHA-512:27E80EAD40EE7B8E1A1105B5DD2138F5BE4D57E1AD527B22D8421EA2F515051A4C3809D45DE43A303B2BEBF08DFF6ADA3A0B95B6D13DB53EFC478D0C57761F16
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF6C1ED0AC54C79EE8.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):0.06843743119485104
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOZft07x6qkWrkoVky6l0t/:2F0i8n0itFzDHF5t07x6uC01
                                                                                                                          MD5:B23A8F32998499DA774A3479193D91FB
                                                                                                                          SHA1:0FE95AAD29FA238A9488C7C9BF7E1E265A18497B
                                                                                                                          SHA-256:3272D0750CE59B4FF12F23F507659A50D8EC4C4562130BD41A529780E660C33D
                                                                                                                          SHA-512:DBF24A27950DB9528F76E5FCD10F74518083DBBEBB583EA4CDD4295B3122B16640F7AA9C5E3D27DF38E2B0B40E89FF575FA3BBAF249FC0DBB25A4CAA9F7FB30E
                                                                                                                          Malicious:false
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF8AFCB1AE981CC351.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DF8BD9260528031337.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFA24CF7F51E969997.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):1.9253505197720553
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:x8PhhuRc06WXOcnT5ySSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOdS:Mhh1anTESUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:8D6627A9D97F54225AF7782813922813
                                                                                                                          SHA1:081CD7A4E1DC8BA9BF9A597C7E78CBEE40A808F8
                                                                                                                          SHA-256:F282CBB6E64CB44E215CF1F11C081A99A4FB7F2074EE0FF0C5215D3734CDDEB3
                                                                                                                          SHA-512:AE99EB62AFFBFE12A5741561BC256BC969E0B0438178B744FDF3E947C83A4A07C27F6AA808093090E7B5492FD334A282C3BB5E66ACEA8C85A53EECB05E7E166D
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFBC3706C6604B52E0.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):512
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3::
                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFC10E2D1E7F110A88.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):1.5180370062079536
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PwZuUNvcFXOzT5XUkyjSSKdgfdguOdghRXdgkdgpdgKdgt6Adg6i2SBwdgfdguOo:YZMuTZtYSUGkOzs9t46jqvGkOzs9Hf
                                                                                                                          MD5:0D783AF1FD3F0AB59CE1F1171E2AEB6D
                                                                                                                          SHA1:8FF5AADF7FAE8B9243497662E1E445122FBFD257
                                                                                                                          SHA-256:A1A68A3D0693BA42EE4B8EE53B5B8A71D8CA22468F290D261FBD68E3403F2630
                                                                                                                          SHA-512:27E80EAD40EE7B8E1A1105B5DD2138F5BE4D57E1AD527B22D8421EA2F515051A4C3809D45DE43A303B2BEBF08DFF6ADA3A0B95B6D13DB53EFC478D0C57761F16
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\Temp\~DFEF102B6ECCC9C47C.TMP

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):73728
                                                                                                                          Entropy (8bit):0.2762025778596797
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2IOYXSBwdgfdguOdghRXdgkdgpdgKdg4SKdgfdguOdghRXdgkdgpdgKdgt6Adg65:HOGqvGkOzs94UGkOzs9t465
                                                                                                                          MD5:2406A3B0A6A788C9DFA8FCBA9ED189F5
                                                                                                                          SHA1:865FC99DC27E9962CC50113EEEDEC5F7E08E6212
                                                                                                                          SHA-256:9F27E9B5C72B0DF566EC0E2614CD3D79C11C57D0E2D5E666BCB4AC8CA5B295A6
                                                                                                                          SHA-512:E09BAD5D6EE5078C621FA502EFA68F3CB2FF9610D2CE3D4FF7A1A9DECCCC0B0EA0517E96211D51B1DC9D854AC310F51C654556AA17B72D455F5142CD26798889
                                                                                                                          Malicious:false
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\intel\Doc.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                                          File Type:Microsoft Word 2007+
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):230038
                                                                                                                          Entropy (8bit):7.636957641054668
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:nzyKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGVVu:nzyKKhEKBSf/vv8vyNjz9oltkyYzcZ
                                                                                                                          MD5:773D2787D661474A840B907C8A22D4E9
                                                                                                                          SHA1:A6A0E3C4AB4063BC74C65D6EC0CB43B67F1D767F
                                                                                                                          SHA-256:BA82FE356B21118D92B04A74EF8466A59F4802FD9B061F6E9A28E16CF7A5A8B3
                                                                                                                          SHA-512:7EC868F9B7B47A757BBB5ABF5639F97C47D79AC55DD07954F3EEE93384B555F7C4C817B687C8C486DC97F4174A8CC04DEED342E8ADD6EA2EDB5EE381FC612BEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK..........!..A..f...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E........tQUUH.},.HM?...../....;@..(..I6H0s.=.xF..V..|...d..H..[!M....[.H....LY.9.B ....h.u..T...E......Y.....z."...:..X..~0x...&... ....l.b.......$.Mc....+..@.j<.p.a.).Y.:].q@..2T.=a!].........}...R@2e>.3.]tm....Fev....-...Wn.[.!.w.*k+.I.....q. \.....Qp...s/...W..c..R`...\....xj.....mNEb..[.p.....?..:...(O.um"Z.=.T.@.8.M.8........PK..........!.........N......._rels/.rels ...(...........................

                                                                                                                          C:\intel\Word.msi

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26864640
                                                                                                                          Entropy (8bit):7.924911310016854
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                          MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                          SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                          SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                          SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                          Malicious:false
                                                                                                                          Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                          C:\intel\~$Doc.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):162
                                                                                                                          Entropy (8bit):4.6370546467387
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:t4qKF0n4ejBl4XRre0HmzFxi/MpyCfLScP:JK+4ejBlYRreAmTig/fj
                                                                                                                          MD5:9B33D739CD42218658E732A5C35FCB6D
                                                                                                                          SHA1:B520E840F4F57CD7A9FD4BD0A74C310CA4B171CD
                                                                                                                          SHA-256:967C46B86DA19C8917D9BCDF03E1497DB502BCE91F8771CF4A251904453B8A0C
                                                                                                                          SHA-512:9F51FD60179A0522CA2FC004D3F1B7ED7D1A7A61D5C5D1490931A16E8BE1E9161500FF8452C06F1E165713D3843B0E75674FAB33463FA2E294AC4EFB5B164B24
                                                                                                                          Malicious:false
                                                                                                                          Preview:..........................................................m......6..o......Y]lW..R.KIY..R.+k.m.Yv2.}...Ou{=.W.^m.7E}'...C..EwE..........L...}.j....XT...=gj

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Entropy (8bit):7.998140922332344
                                                                                                                          TrID:
                                                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:442.docx.exe
                                                                                                                          File size:25'141'051 bytes
                                                                                                                          MD5:fb8117b1a3f0924100fbc209dbbb1bb1
                                                                                                                          SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
                                                                                                                          SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
                                                                                                                          SHA512:fcaba4304f26eefa476202e17ca85c3f994d2086f78fa86f1d73f7d6c926825a4ac3b02ceae2d8cde3583f02fdbf87139741035368f6d4b77c4f8c790df330fd
                                                                                                                          SSDEEP:393216:bnD8YsCFVxnq/mIhNAl2543UCCCQrTTNi5NRmclImNm/U29ieL:bgYlFV8/1AbOrXNihH29LL
                                                                                                                          TLSH:14473325EE400AB1E2FAD47098159413D63C3C5DC228B2A722F997287FF7B755B67388
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                                                          File Icon

                                                                                                                          Icon Hash:0b03084c4e4e0383

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x140032ee0
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x140000000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:2
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:2
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:2
                                                                                                                          Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          dec eax
                                                                                                                          sub esp, 28h
                                                                                                                          call 00007FE66481EC08h
                                                                                                                          dec eax
                                                                                                                          add esp, 28h
                                                                                                                          jmp 00007FE66481E59Fh
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          dec eax
                                                                                                                          mov eax, esp
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [eax+08h], ebx
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [eax+10h], ebp
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [eax+18h], esi
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [eax+20h], edi
                                                                                                                          inc ecx
                                                                                                                          push esi
                                                                                                                          dec eax
                                                                                                                          sub esp, 20h
                                                                                                                          dec ebp
                                                                                                                          mov edx, dword ptr [ecx+38h]
                                                                                                                          dec eax
                                                                                                                          mov esi, edx
                                                                                                                          dec ebp
                                                                                                                          mov esi, eax
                                                                                                                          dec eax
                                                                                                                          mov ebp, ecx
                                                                                                                          dec ecx
                                                                                                                          mov edx, ecx
                                                                                                                          dec eax
                                                                                                                          mov ecx, esi
                                                                                                                          dec ecx
                                                                                                                          mov edi, ecx
                                                                                                                          inc ecx
                                                                                                                          mov ebx, dword ptr [edx]
                                                                                                                          dec eax
                                                                                                                          shl ebx, 04h
                                                                                                                          dec ecx
                                                                                                                          add ebx, edx
                                                                                                                          dec esp
                                                                                                                          lea eax, dword ptr [ebx+04h]
                                                                                                                          call 00007FE66481DA23h
                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                          and al, 66h
                                                                                                                          neg al
                                                                                                                          mov eax, 00000001h
                                                                                                                          sbb edx, edx
                                                                                                                          neg edx
                                                                                                                          add edx, eax
                                                                                                                          test dword ptr [ebx+04h], edx
                                                                                                                          je 00007FE66481E733h
                                                                                                                          dec esp
                                                                                                                          mov ecx, edi
                                                                                                                          dec ebp
                                                                                                                          mov eax, esi
                                                                                                                          dec eax
                                                                                                                          mov edx, esi
                                                                                                                          dec eax
                                                                                                                          mov ecx, ebp
                                                                                                                          call 00007FE664820747h
                                                                                                                          dec eax
                                                                                                                          mov ebx, dword ptr [esp+30h]
                                                                                                                          dec eax
                                                                                                                          mov ebp, dword ptr [esp+38h]
                                                                                                                          dec eax
                                                                                                                          mov esi, dword ptr [esp+40h]
                                                                                                                          dec eax
                                                                                                                          mov edi, dword ptr [esp+48h]
                                                                                                                          dec eax
                                                                                                                          add esp, 20h
                                                                                                                          inc ecx
                                                                                                                          pop esi
                                                                                                                          ret
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          dec eax
                                                                                                                          sub esp, 48h
                                                                                                                          dec eax
                                                                                                                          lea ecx, dword ptr [esp+20h]
                                                                                                                          call 00007FE66480CFB3h
                                                                                                                          dec eax
                                                                                                                          lea edx, dword ptr [00025747h]
                                                                                                                          dec eax
                                                                                                                          lea ecx, dword ptr [esp+20h]
                                                                                                                          call 00007FE66481F802h
                                                                                                                          int3
                                                                                                                          jmp 00007FE6648259E4h
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x1558c.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x970.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0x700000x1558c0x1560050f0a4d841d0856138dbb9d7187108bfFalse0.1905953033625731data5.443581422941128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0x860000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          PNG0x705540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                                                          PNG0x7109c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                                                          RT_ICON0x726480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m0.06374955637051934
                                                                                                                          RT_DIALOG0x82e700x2badata0.5286532951289399
                                                                                                                          RT_DIALOG0x8312c0x13adata0.6560509554140127
                                                                                                                          RT_DIALOG0x832680xf2data0.71900826446281
                                                                                                                          RT_DIALOG0x8335c0x14adata0.6
                                                                                                                          RT_DIALOG0x834a80x314data0.47588832487309646
                                                                                                                          RT_DIALOG0x837bc0x24adata0.6279863481228669
                                                                                                                          RT_STRING0x83a080x1fcdata0.421259842519685
                                                                                                                          RT_STRING0x83c040x246data0.41924398625429554
                                                                                                                          RT_STRING0x83e4c0x1a6data0.514218009478673
                                                                                                                          RT_STRING0x83ff40xdcdata0.65
                                                                                                                          RT_STRING0x840d00x470data0.3873239436619718
                                                                                                                          RT_STRING0x845400x164data0.5056179775280899
                                                                                                                          RT_STRING0x846a40x110data0.5772058823529411
                                                                                                                          RT_STRING0x847b40x158data0.4563953488372093
                                                                                                                          RT_STRING0x8490c0xe8data0.5948275862068966
                                                                                                                          RT_STRING0x849f40x1c6data0.5242290748898678
                                                                                                                          RT_STRING0x84bbc0x268data0.4837662337662338
                                                                                                                          RT_GROUP_ICON0x84e240x14data1.15
                                                                                                                          RT_MANIFEST0x84e380x753XML 1.0 document, ASCII text, with CRLF line terminators0.39786666666666665

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                          gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-12-03T12:36:14.804611+01002849354ETPRO MALWARE Remote Admin Backdoor Related Activity1192.168.2.449806111.90.147.12580TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Dec 3, 2024 12:36:13.091999054 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.211790085 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.211968899 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.212125063 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.225421906 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.251187086 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.251187086 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.257570982 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.258430004 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.259254932 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.331918955 CET565149807111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.332099915 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.336406946 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.336441040 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.345331907 CET5555549808111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.345460892 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.359030962 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.359090090 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.371571064 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.371582031 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.378040075 CET80804981178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.378294945 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.378494024 CET56514981078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.378691912 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.379152060 CET46549809111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.379578114 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.402987957 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.403002024 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.403192997 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.403192997 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:13.403367996 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.403367996 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:13.456388950 CET565149807111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.456506968 CET565149807111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.479254961 CET5555549808111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.479321957 CET5555549808111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523130894 CET80804981178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523323059 CET80804981178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523334026 CET56514981078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523443937 CET56514981078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523541927 CET46549809111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:13.523550987 CET46549809111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.804249048 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.804464102 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:14.804488897 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:14.804564953 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:14.804582119 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:14.804610968 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:14.925282001 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.925354004 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.925364971 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.925399065 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:14.925570965 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:15.638190985 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:15.719194889 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:15.921077013 CET565149807111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:15.921175003 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:15.921233892 CET498075651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:15.964900017 CET5555549808111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:15.965046883 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:15.965075016 CET4980855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.041304111 CET565149807111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.085021019 CET5555549808111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.132642031 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.146044970 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.252762079 CET565149814111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.252893925 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.266004086 CET5555549815111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.266083956 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.298065901 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.298106909 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.325462103 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.325494051 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:16.418101072 CET565149814111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.418116093 CET565149814111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.445780993 CET5555549815111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.445832968 CET5555549815111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.641808033 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:16.719177008 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:17.672311068 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:17.719171047 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.592828035 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.601013899 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.687975883 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.712740898 CET5555549819111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.712837934 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.714251041 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.714298010 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.720977068 CET565149820111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.721532106 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.727191925 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.727271080 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.822891951 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.834268093 CET5555549819111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.834300995 CET5555549819111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.847125053 CET565149820111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.847201109 CET565149820111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.860656023 CET5555549815111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.860898972 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.860979080 CET4981555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.900947094 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.915565014 CET565149814111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:18.915647030 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.915723085 CET498145651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:18.980952024 CET5555549815111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.010258913 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.021238089 CET5555549821111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.021605015 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.022680044 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.022761106 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.035675049 CET565149814111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.115309954 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:19.130491018 CET565149822111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.130600929 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.142740965 CET5555549821111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.142765045 CET5555549821111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.142812014 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.142836094 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:19.235366106 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.235450029 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:19.239303112 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:19.239542007 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:19.264013052 CET565149822111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.264035940 CET565149822111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.359240055 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.359500885 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.359541893 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.703569889 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:19.906723976 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:20.719198942 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:20.907365084 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.158255100 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.271888018 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:21.310745001 CET565149820111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.310894966 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.310894966 CET498205651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.312437057 CET5555549819111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.312513113 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.312777042 CET4981955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.368212938 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:21.428395987 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.431032896 CET565149820111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.432718992 CET5555549819111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.436203957 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.490041018 CET56554981895.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.490143061 CET498185655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:36:21.548532009 CET565149823111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.548629999 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.549684048 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.549807072 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.556391001 CET5555549824111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.556452990 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.557010889 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.557037115 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.647382975 CET5555549821111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.647473097 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.647532940 CET4982155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.671026945 CET565149823111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.671042919 CET565149823111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.679403067 CET5555549824111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.679415941 CET5555549824111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.690021992 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:36:21.738256931 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.739649057 CET565149822111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.740505934 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.750372887 CET498225651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.768651962 CET5555549821111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.782620907 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.783051014 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.810197115 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.810297966 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:36:21.812412977 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:36:21.812444925 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:36:21.854932070 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.870452881 CET565149822111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.903270006 CET5555549826111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.903477907 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.904160976 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.904233932 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.933785915 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.933796883 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.934922934 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.975328922 CET565149827111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:21.975414038 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.976490021 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:21.976502895 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:22.024108887 CET5555549826111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:22.024123907 CET5555549826111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:22.096800089 CET565149827111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:22.096812010 CET565149827111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:22.750557899 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:22.797956944 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:23.766558886 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:23.812943935 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.169251919 CET565149823111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.169316053 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.169378996 CET498235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.187244892 CET5555549824111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.187318087 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.187361956 CET4982455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.289208889 CET565149823111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.299717903 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.300775051 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.307446003 CET5555549824111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.419768095 CET565149828111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.419909954 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.420248032 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.420268059 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.420690060 CET5555549829111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.420758009 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.421026945 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.421026945 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.498738050 CET5555549826111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.498800039 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.498872042 CET4982655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.540333033 CET565149828111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.540359974 CET565149828111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.540920019 CET5555549829111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.541112900 CET5555549829111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.618766069 CET5555549826111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.627017975 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.648525953 CET565149827111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.648618937 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.648693085 CET498275651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.695365906 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.747165918 CET5555549830111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.747433901 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.747673035 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.747788906 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.769431114 CET565149827111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.781778097 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.815855026 CET565149831111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.815936089 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.816215992 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.816505909 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.828620911 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:24.867681026 CET5555549830111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.867717981 CET5555549830111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.936038971 CET565149831111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:24.936368942 CET565149831111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:25.797413111 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:25.844192028 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:26.812819958 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:26.859826088 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.060616016 CET565149828111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.060682058 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.060719967 CET498285651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.088360071 CET5555549829111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.088422060 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.088454962 CET4982955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.098973989 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.111255884 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.180680990 CET565149828111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.208434105 CET5555549829111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.219616890 CET5555549832111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.219696999 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.219978094 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.220052958 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.231204987 CET565149833111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.231343985 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.231762886 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.231810093 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.339939117 CET5555549832111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.339951992 CET5555549832111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.351671934 CET565149833111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.351737976 CET565149833111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.374279976 CET5555549830111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.374355078 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.374406099 CET4983055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.426026106 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.451308012 CET565149831111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.451375961 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.451412916 CET498315651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.494530916 CET5555549830111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.546118975 CET5555549834111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.546190977 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.546406984 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.546406984 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.549717903 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.571486950 CET565149831111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.666570902 CET5555549834111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.666587114 CET5555549834111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.669764996 CET565149835111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.669847965 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.670161009 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.670171976 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:27.790184021 CET565149835111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.790196896 CET565149835111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.813070059 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:27.859844923 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.407521009 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.410182953 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.411684036 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.522090912 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.523515940 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.547986031 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.571578979 CET46549809111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.571722031 CET80804981178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.575748920 CET56514981078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.642920971 CET46549836111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.643013000 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.643332005 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.643343925 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:28.644396067 CET56514983778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.644471884 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.644779921 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.644779921 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.668972969 CET80804983878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.669081926 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.669332981 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.669358969 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:28.763298035 CET46549836111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.763319016 CET46549836111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.764833927 CET56514983778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.764878988 CET56514983778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.789341927 CET80804983878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.789357901 CET80804983878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.828639030 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:28.875447989 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.810695887 CET5555549832111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:29.810827971 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.810827971 CET4983255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.844711065 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:29.854883909 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.885699987 CET565149833111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:29.889619112 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.889843941 CET498335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.891084909 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.931708097 CET5555549832111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:29.949378014 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.975925922 CET5555549839111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:29.975999117 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.999259949 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:29.999353886 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.010050058 CET565149833111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.069402933 CET565149840111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.069700003 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.109388113 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.109388113 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.119596958 CET5555549839111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.119621038 CET5555549839111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.228302002 CET5555549834111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.229490042 CET565149840111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.229500055 CET565149840111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.229600906 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.232350111 CET4983455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.266946077 CET565149835111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.269649029 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.295713902 CET498355651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.352361917 CET5555549834111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.401367903 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.415712118 CET565149835111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.424866915 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.546216011 CET5555549841111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.546303034 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.546608925 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.546684027 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.560916901 CET565149842111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.561232090 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.561516047 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.561567068 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:30.681083918 CET5555549841111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.681094885 CET5555549841111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.736660957 CET565149842111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.736674070 CET565149842111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.859731913 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:30.906732082 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:31.875408888 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:31.922343969 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.650640011 CET5555549839111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.650736094 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.650846958 CET4983955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.681988001 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.749751091 CET565149840111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.749824047 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.749963045 CET498405651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.770701885 CET5555549839111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.802155018 CET5555549843111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.803698063 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:32.869916916 CET565149840111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.890914917 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:32.942100048 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.067537069 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.067584038 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.074779987 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.177732944 CET5555549841111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.177807093 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.177890062 CET4984155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.188019037 CET5555549843111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.188031912 CET5555549843111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.188155890 CET565149842111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.188256025 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.188353062 CET498425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.194814920 CET565149844111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.194937944 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.195127964 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.195127964 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.225821018 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.237338066 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.298847914 CET5555549841111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.308248043 CET565149842111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.315304995 CET565149844111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.315372944 CET565149844111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.345823050 CET565149845111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.345947981 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.346164942 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.346164942 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.357386112 CET5555549846111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.357466936 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.357712030 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.357712030 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:33.466068029 CET565149845111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.466080904 CET565149845111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.479856968 CET5555549846111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.479867935 CET5555549846111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.906653881 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:33.953602076 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:34.922730923 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:34.969242096 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.283972025 CET46549809111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.284221888 CET49809465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.315356970 CET56514981078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.315422058 CET498105651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:35.324543953 CET80804981178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.324826956 CET498118080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:35.493994951 CET5555549843111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.494076967 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.494138956 CET4984355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.524488926 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.614192009 CET5555549843111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.644759893 CET5555549847111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.644871950 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.645312071 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.645381927 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.765192986 CET5555549847111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.765264988 CET5555549847111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.868459940 CET565149844111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.868527889 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.868596077 CET498445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.939034939 CET565149845111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.939133883 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.939229965 CET498455651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.940002918 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:35.959177971 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.984869003 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:35.989531040 CET565149844111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.038793087 CET5555549846111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.041637897 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.044188023 CET4984655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.059658051 CET565149845111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.068773031 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.080605030 CET565149848111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.080868959 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.081187010 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.081216097 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.167227030 CET5555549846111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.188993931 CET5555549849111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.189074993 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.189518929 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.189528942 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:36.201383114 CET565149848111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.201405048 CET565149848111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.309480906 CET5555549849111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.309498072 CET5555549849111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:36.953701973 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:37.000478029 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:37.968943119 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.016103983 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.321614981 CET5555549847111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.321768999 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.321808100 CET4984755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.364245892 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.441767931 CET5555549847111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.484258890 CET5555549850111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.484345913 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.484648943 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.484662056 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.604733944 CET5555549850111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.604748964 CET5555549850111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.672728062 CET565149848111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.672792912 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.672903061 CET498485651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.693878889 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.779110909 CET5555549849111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.779288054 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.779419899 CET4984955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.793577909 CET565149848111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.804164886 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.814112902 CET565149851111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.816416025 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.816623926 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.816643000 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.899467945 CET5555549849111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.924093008 CET5555549852111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.924184084 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.924622059 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.924633980 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:38.936671972 CET565149851111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.936798096 CET565149851111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:38.984677076 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:39.031730890 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:39.044544935 CET5555549852111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:39.044621944 CET5555549852111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:39.985434055 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:40.031727076 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.000750065 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.047389984 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.078267097 CET5555549850111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.078330994 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.078416109 CET4985055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.101254940 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.198340893 CET5555549850111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.221373081 CET5555549855111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.221451998 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.221752882 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.221781015 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.341674089 CET5555549855111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.341686964 CET5555549855111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.410769939 CET565149851111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.410837889 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.411011934 CET498515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.468524933 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.531107903 CET565149851111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.584650040 CET5555549852111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.584723949 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.584819078 CET4985255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.588510036 CET565149856111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.588576078 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.603276014 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.603364944 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:41.705825090 CET5555549852111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.724215984 CET565149856111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.724229097 CET565149856111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:41.910341024 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:42.016292095 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:42.030425072 CET5555549857111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:42.030580044 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:42.030723095 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:42.030735016 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:42.062983990 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:42.151235104 CET5555549857111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:42.151248932 CET5555549857111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.031673908 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.078627110 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.657562971 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.657563925 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.658588886 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.728534937 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.729901075 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.731610060 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.822918892 CET46549836111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.822933912 CET80804983878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.822947979 CET56514983778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.848900080 CET46549858111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.848969936 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.849152088 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.849165916 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.850125074 CET56514985978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.850199938 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.850390911 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.850408077 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.851771116 CET80804986078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.851829052 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.851989031 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.852125883 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:43.852217913 CET5555549855111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.852273941 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.852303982 CET4985555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.969139099 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:43.971374035 CET46549858111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.971395969 CET46549858111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.972464085 CET56514985978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.972486019 CET56514985978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.974340916 CET80804986078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.974607944 CET80804986078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:43.974720955 CET5555549855111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.047105074 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.089128971 CET5555549861111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.089215994 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.089643955 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.089660883 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.094228983 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.184757948 CET565149856111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.184823990 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.184912920 CET498565651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.209645987 CET5555549861111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.209700108 CET5555549861111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.361912966 CET565149856111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.480199099 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.615051985 CET565149867111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.615303040 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.615823984 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.615839005 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.664139986 CET5555549857111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.665648937 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.668072939 CET4985755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.711925030 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.735713959 CET565149867111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.735737085 CET565149867111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.788796902 CET5555549857111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.832628012 CET5555549868111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.832726955 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.832921028 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.832951069 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:44.953120947 CET5555549868111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:44.953135967 CET5555549868111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:45.065639019 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:45.109869003 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:46.078382969 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:46.125493050 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:46.686754942 CET5555549861111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:46.686822891 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:46.686873913 CET4986155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:46.789994955 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:46.806902885 CET5555549861111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:46.909977913 CET5555549874111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:46.913688898 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.093869925 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.141134977 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.164422035 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.164556026 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.250319958 CET565149867111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.250386000 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.250472069 CET498675651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.284456968 CET5555549874111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.284471035 CET5555549874111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.334633112 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.370419025 CET565149867111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.455297947 CET565149875111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.455385923 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.460726976 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.461149931 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.498514891 CET5555549868111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.498585939 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.498754025 CET4986855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.552830935 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.580838919 CET565149875111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.580996037 CET565149875111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.618621111 CET5555549868111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.672751904 CET5555549876111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.672816992 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.673022032 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.673032045 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:47.793060064 CET5555549876111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:47.793073893 CET5555549876111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:48.094094038 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:48.141132116 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.109952927 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:49.156745911 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.539999962 CET5555549874111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:49.541682959 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.543036938 CET4987455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.643939018 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.662985086 CET5555549874111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:49.764950991 CET5555549882111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:49.765047073 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.769069910 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.769138098 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:49.890335083 CET5555549882111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:49.890356064 CET5555549882111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.077274084 CET565149875111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.077342033 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.077406883 CET498755651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.125706911 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.172364950 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.179233074 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.197310925 CET565149875111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.265666008 CET5555549876111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.265734911 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.265831947 CET4987655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.288136959 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.299189091 CET565149883111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.299268007 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.302839994 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.302854061 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.385739088 CET5555549876111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.408118010 CET5555549884111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.408200026 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.417248011 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.417268991 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.422950029 CET565149883111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.422960997 CET565149883111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.537245989 CET5555549884111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.537260056 CET5555549884111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.549982071 CET46549836111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.550050020 CET49836465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:50.550129890 CET56514983778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.550204992 CET498375651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:50.612778902 CET80804983878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:50.612835884 CET498388080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:51.141880035 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:51.188040972 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.172463894 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.219259024 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.356301069 CET5555549882111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.356374025 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.356420040 CET4988255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.363517046 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.456113100 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.476443052 CET5555549882111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.483614922 CET5555549890111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.483705044 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.483903885 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.483937025 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.500500917 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:36:52.603792906 CET5555549890111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.603837013 CET5555549890111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.931464911 CET565149883111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:52.931525946 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:52.931718111 CET498835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.020533085 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.051589012 CET565149883111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.074493885 CET5555549884111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.074686050 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.074728966 CET4988455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.140594006 CET565149896111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.140671968 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.140949011 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.140959978 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.151689053 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.187796116 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.194791079 CET5555549884111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.234883070 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.266123056 CET565149896111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.266293049 CET565149896111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.274311066 CET5555549897111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.274388075 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.274641037 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.274671078 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:53.394808054 CET5555549897111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:53.394897938 CET5555549897111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:54.203387976 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:54.250499964 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.079715967 CET5555549890111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.079824924 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.079884052 CET4989055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.100347042 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.199856043 CET5555549890111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.219192982 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.220303059 CET5555549900111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.223679066 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.223875046 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.223892927 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.266139030 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.344079971 CET5555549900111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.344095945 CET5555549900111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.733273983 CET565149896111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.733350039 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.733402967 CET498965651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.754091978 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.853405952 CET565149896111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.874166965 CET565149904111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.874281883 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.874460936 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.874480963 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.901324034 CET5555549897111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.901403904 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.901446104 CET4989755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.987349987 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:55.994405031 CET565149904111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:55.994427919 CET565149904111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.022751093 CET5555549897111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.107760906 CET5555549905111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.107832909 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:56.149878025 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:56.150219917 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:56.234538078 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.270232916 CET5555549905111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.270251989 CET5555549905111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:56.281770945 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.234927893 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:57.281759024 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.812120914 CET5555549900111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:57.812491894 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.812491894 CET4990055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.846673965 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.932782888 CET5555549900111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:57.966840029 CET5555549911111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:57.966938019 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.967120886 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:57.967133045 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.087034941 CET5555549911111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.087060928 CET5555549911111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.250643969 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.300065041 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.538692951 CET565149904111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.538779020 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.538902044 CET499045651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.601598024 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.658776045 CET565149904111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.723160028 CET565149912111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.725708008 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.729245901 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.729245901 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.744532108 CET5555549905111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.744604111 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.744674921 CET4990555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.827406883 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.845098019 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:58.845098972 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:58.845679998 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.849183083 CET565149912111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.849204063 CET565149912111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.864571095 CET5555549905111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.928692102 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:58.929094076 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.930963039 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:58.947592974 CET5555549913111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:58.947655916 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.947861910 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:58.949635029 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:59.006700039 CET46549858111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.006712914 CET80804986078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.006726027 CET56514985978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.049622059 CET80804991478.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.049941063 CET46549915111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.050071955 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.050535917 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:59.050535917 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.050566912 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.050600052 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:59.050612926 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:36:59.052012920 CET56514991678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.052083015 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.052208900 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.052221060 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:36:59.068509102 CET5555549913111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.070538044 CET5555549913111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.170557976 CET80804991478.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.170569897 CET80804991478.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.170597076 CET46549915111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.170605898 CET46549915111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.172095060 CET56514991678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.172108889 CET56514991678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.273920059 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:36:59.328768015 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.282231092 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:00.328651905 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.563471079 CET5555549911111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:00.563538074 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.563604116 CET4991155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.678603888 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.683871984 CET5555549911111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:00.799351931 CET5555549922111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:00.799448013 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.799741983 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.799755096 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:00.919806004 CET5555549922111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:00.919853926 CET5555549922111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.297516108 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.344276905 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.401935101 CET565149912111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.405675888 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.405736923 CET499125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.455390930 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.525933981 CET565149912111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.575438976 CET565149923111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.575952053 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.576212883 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.579766035 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.588437080 CET5555549913111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.591298103 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.591357946 CET4991355555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.674874067 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.696074009 CET565149923111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.699673891 CET565149923111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.711261034 CET5555549913111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.795330048 CET5555549924111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.795433044 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.795686960 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.795716047 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:01.915819883 CET5555549924111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:01.915837049 CET5555549924111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:02.312594891 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:02.359924078 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.328454018 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:03.375556946 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.438097000 CET5555549922111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:03.438997984 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.439510107 CET4992255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.521145105 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.559367895 CET5555549922111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:03.641474009 CET5555549931111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:03.641554117 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.641962051 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.641962051 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:03.761840105 CET5555549931111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:03.761867046 CET5555549931111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.241485119 CET565149923111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.241688013 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.241729021 CET499235651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.287512064 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.343858957 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.361715078 CET565149923111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.390058041 CET5555549924111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.390192986 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.390219927 CET4992455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.391149998 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.407485962 CET565149937111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.407605886 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.408396006 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.408423901 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.508485079 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.510338068 CET5555549924111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.528553009 CET565149937111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.528578043 CET565149937111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.629009962 CET5555549938111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.629240036 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.629476070 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.629528999 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:04.749439001 CET5555549938111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:04.749454975 CET5555549938111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:05.344306946 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:05.391208887 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:05.780055046 CET46549858111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:05.780070066 CET56514985978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:05.780124903 CET49858465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:05.780169964 CET498595651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:05.785072088 CET80804986078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:05.785119057 CET498608080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:06.279632092 CET5555549931111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:06.279700994 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.279771090 CET4993155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.359690905 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:06.392533064 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.399741888 CET5555549931111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:06.406805038 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.512590885 CET5555549942111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:06.512691021 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.512964010 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.513117075 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:06.632888079 CET5555549942111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:06.632953882 CET5555549942111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.070450068 CET565149937111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.070523024 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.070554972 CET499375651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.134114027 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.190665007 CET565149937111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.254157066 CET565149944111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.257400036 CET5555549938111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.257527113 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.257527113 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.257550955 CET4993855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.257915974 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.257915974 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.348509073 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.375175953 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.377638102 CET5555549938111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.377990007 CET565149944111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.378005028 CET565149944111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.422418118 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.468625069 CET5555549945111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.468832016 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.469033957 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.469054937 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:07.589113951 CET5555549945111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:07.589154005 CET5555549945111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:08.391073942 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:08.438045979 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:09.407119036 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:09.453665018 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:09.921175003 CET565149944111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:09.921355963 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:09.921531916 CET499445651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:09.975228071 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.041416883 CET565149944111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.095417976 CET565149951111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.095499992 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.096676111 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.096676111 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.107248068 CET5555549945111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.107300997 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.107350111 CET4994555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.195075989 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.216660976 CET565149951111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.216708899 CET565149951111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.227500916 CET5555549945111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.238749981 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:37:10.315052032 CET5555549952111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.315115929 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.315675974 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.315732002 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:10.361140013 CET56554982577.223.124.212192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.361279011 CET498255655192.168.2.477.223.124.212
                                                                                                                          Dec 3, 2024 12:37:10.422223091 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.435750961 CET5555549952111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.435770035 CET5555549952111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:10.469296932 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:11.437746048 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:11.484922886 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.455003977 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:12.500541925 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.728813887 CET565149951111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:12.728880882 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.728936911 CET499515651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.830137014 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.849524975 CET565149951111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:12.950160980 CET565149959111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:12.950231075 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.950519085 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.950541973 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.977453947 CET5555549952111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:12.977565050 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:12.982197046 CET4995255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:13.038902044 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:13.070760965 CET565149959111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.070779085 CET565149959111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.102071047 CET5555549952111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.158910990 CET5555549962111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.159046888 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:13.159351110 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:13.159360886 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:13.279382944 CET5555549962111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.279405117 CET5555549962111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.469290972 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:13.516185045 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.048110962 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.048120022 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.048552990 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.129699945 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.144985914 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.158848047 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.210882902 CET80804991478.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.210990906 CET56514991678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.211030006 CET46549915111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.249768019 CET46549965111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.249903917 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.250158072 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.250201941 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.265048981 CET80804996678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.265149117 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.265387058 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.265430927 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.278873920 CET56514996778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.278970957 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.279139042 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.279154062 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:14.370208025 CET46549965111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.370254993 CET46549965111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.385339975 CET80804996678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.385350943 CET80804996678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.387887955 CET5555549942111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.387945890 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.389261007 CET4994255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.399220943 CET56514996778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.399231911 CET56514996778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.462835073 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.485105038 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.509280920 CET5555549942111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.531805038 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.582787037 CET5555549968111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.582878113 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.583415985 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.583426952 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:14.703619957 CET5555549968111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:14.704026937 CET5555549968111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.500403881 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.547436953 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.548603058 CET565149959111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.548752069 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.548790932 CET499595651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.659411907 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:15.662729979 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.789331913 CET565149959111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.909430981 CET5555549962111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.909521103 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.909552097 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.909557104 CET4996255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.909564972 CET565149974111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:15.909638882 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.909681082 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:15.910352945 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:15.910528898 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:15.910581112 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:15.910871983 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.001967907 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.030210018 CET5555549962111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.030433893 CET565149974111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.030635118 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.030711889 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.030721903 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.030960083 CET565149974111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.122330904 CET5555549975111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.122426987 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.122719049 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.122735977 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.242722034 CET5555549975111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.242733955 CET5555549975111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.438785076 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:16.515875101 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.563391924 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:16.602545977 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.957181931 CET56554997395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:16.959749937 CET499735655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:17.172039986 CET5555549968111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.172108889 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.172192097 CET4996855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.205743074 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.292890072 CET5555549968111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.325901031 CET5555549977111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.325968027 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.326773882 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.326821089 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:17.446953058 CET5555549977111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.446969986 CET5555549977111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.531634092 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:17.581370115 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.542148113 CET565149974111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.542243958 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.542293072 CET499745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.547080994 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.594397068 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.617094994 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.663877964 CET565149974111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.737781048 CET565149983111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.740875006 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.741091967 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.741113901 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.758204937 CET5555549975111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.758330107 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.758330107 CET4997555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.843519926 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.861355066 CET565149983111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.861373901 CET565149983111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.878391027 CET5555549975111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.963471889 CET5555549984111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:18.965751886 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.965984106 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:18.966001034 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:19.085932016 CET5555549984111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:19.085948944 CET5555549984111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:19.562809944 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:19.609978914 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:19.961534977 CET5555549977111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:19.961611032 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:19.961796999 CET4997755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.081684113 CET5555549977111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.099562883 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.219619036 CET5555549989111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.219701052 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.384284973 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.384314060 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.504187107 CET5555549989111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.504215956 CET5555549989111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.562910080 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.609937906 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:20.972568035 CET56514991678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.976002932 CET499165651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:20.981467009 CET46549915111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:20.983778954 CET49915465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.044037104 CET80804991478.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.044128895 CET499148080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:21.329628944 CET565149983111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.329700947 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.329746008 CET499835651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.353244066 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.449963093 CET565149983111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.473335981 CET565149991111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.473521948 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.474482059 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.474504948 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.578424931 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.594487906 CET565149991111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.594530106 CET565149991111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.604357004 CET5555549984111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.604413033 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.604441881 CET4998455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.625653028 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.724438906 CET5555549984111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.727822065 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.847846985 CET5555549992111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.848551035 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.849176884 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.849353075 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:21.876606941 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:21.969739914 CET5555549992111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.969758034 CET5555549992111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.996895075 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:21.996972084 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:21.999862909 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:21.999914885 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:22.004924059 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:22.120141029 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.120170116 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.120219946 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.166610003 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.594115973 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.641212940 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:22.853096008 CET5555549989111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:22.853754997 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:22.853754997 CET4998955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:22.883884907 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:22.973771095 CET5555549989111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.003918886 CET5555549998111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.004374981 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:23.006444931 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:23.007072926 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:23.046225071 CET56554999395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.046462059 CET499935655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:23.126307964 CET5555549998111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.126905918 CET5555549998111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.609900951 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:23.656817913 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.130914927 CET565149991111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.131006956 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.131042004 CET499915651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.198295116 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.251868963 CET565149991111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.318320990 CET565150001111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.318753004 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.322618008 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.322647095 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.442687988 CET565150001111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.442703962 CET565150001111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.484699011 CET5555549992111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.484775066 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.484834909 CET4999255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.529006004 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.605030060 CET5555549992111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.625773907 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.648981094 CET5555550005111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.649061918 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.651582956 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.651607037 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.672533989 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:24.771527052 CET5555550005111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:24.771558046 CET5555550005111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.641448021 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.682769060 CET5555549998111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.685544968 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.685580969 CET4999855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.725049973 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.766196012 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.805628061 CET5555549998111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.845477104 CET5555550007111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.845556021 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.845954895 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.845963955 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:25.965939045 CET5555550007111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:25.966126919 CET5555550007111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:26.672214031 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:26.860035896 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:26.908111095 CET565150001111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:26.908168077 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:26.908237934 CET500015651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:26.928931952 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.028100014 CET565150001111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.049294949 CET565150012111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.049755096 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.049957037 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.049957037 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.170021057 CET565150012111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.170034885 CET565150012111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.281193018 CET5555550005111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.281285048 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.281347990 CET5000555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.366765022 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:27.369353056 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.401427031 CET5555550005111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.486687899 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.486753941 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:27.489634037 CET5555550014111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.489707947 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.503272057 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:27.503300905 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:27.511487007 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.511528015 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:27.511609077 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:27.623285055 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.623297930 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.623331070 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.631508112 CET5555550014111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.631539106 CET5555550014111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.678477049 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.687954903 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:27.860070944 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.486406088 CET5555550007111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.486466885 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.486607075 CET5000755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.500030041 CET56555001395.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.500089884 CET500135655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:28.589193106 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.607428074 CET5555550007111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.703489065 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.709182024 CET5555550016111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.713741064 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.714004993 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.715930939 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:28.833937883 CET5555550016111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.836179018 CET5555550016111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:28.860882044 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.251374006 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.266601086 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.282221079 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.344429970 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.347134113 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.347245932 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.414465904 CET46549965111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.430529118 CET80804996678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.442567110 CET56514996778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.464680910 CET80805002178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.467149973 CET46550022111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.467180014 CET56515002378.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.467386961 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.467386961 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.467386961 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.467959881 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.467984915 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.468019962 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.468028069 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.468501091 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.468528986 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:29.588007927 CET46550022111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.588027954 CET46550022111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.588053942 CET56515002378.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.588099003 CET56515002378.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.588476896 CET80805002178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.588489056 CET80805002178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.645826101 CET565150012111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.648550987 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.648581028 CET500125651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.662594080 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.719961882 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.766376972 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.768862963 CET565150012111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.782665968 CET565150024111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.782746077 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.786495924 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.788058043 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:29.906507969 CET565150024111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:29.907989979 CET565150024111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.125571012 CET5555550014111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.125726938 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.125771046 CET5001455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.213352919 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.245847940 CET5555550014111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.333334923 CET5555550026111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.333410978 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.333786964 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.333800077 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:30.453778028 CET5555550026111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.453808069 CET5555550026111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.734287024 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:30.969356060 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.385035038 CET5555550016111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.387897968 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.387974024 CET5001655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.413345098 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.508107901 CET5555550016111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.533477068 CET5555550031111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.533577919 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.534640074 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.534658909 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:31.654644012 CET5555550031111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.654675007 CET5555550031111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.734855890 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:31.969371080 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.446568966 CET565150024111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.447745085 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.447773933 CET500245651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.516762972 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.567903996 CET565150024111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.636775970 CET565150033111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.639779091 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.640150070 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.643929958 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.736603975 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.761414051 CET565150033111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.764997005 CET565150033111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.944303989 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:32.969446898 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.992491961 CET5555550026111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:32.993185997 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:32.993242979 CET5002655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:33.054595947 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:33.064572096 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.064685106 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:33.065834999 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:33.065943003 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:33.066818953 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:33.113244057 CET5555550026111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.175362110 CET5555550035111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.175798893 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:33.176054001 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:33.176067114 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:33.186331987 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.186345100 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.186588049 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.230469942 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.296149015 CET5555550035111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.296166897 CET5555550035111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.757654905 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:33.969429970 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.114499092 CET56555003495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.117774963 CET500345655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:34.125416994 CET5555550031111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.125792027 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.125792027 CET5003155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.146475077 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.245733976 CET5555550031111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.267261982 CET5555550040111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.267326117 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.267738104 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.267756939 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:34.387773991 CET5555550040111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.387835979 CET5555550040111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.773271084 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:34.969355106 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.277909040 CET565150033111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.278022051 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.278528929 CET500335651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.349131107 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.398437023 CET565150033111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.469144106 CET565150042111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.469548941 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.471043110 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.471062899 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.591628075 CET565150042111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.591743946 CET565150042111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.781368017 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.812217951 CET5555550035111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.813746929 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.813926935 CET5003555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.896899939 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:35.933835983 CET5555550035111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:35.969449997 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.018074989 CET5555550047111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.018235922 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.019037008 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.019402981 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.139533043 CET5555550047111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.140007973 CET5555550047111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.160465002 CET80804996678.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.160526037 CET499668080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:36.175509930 CET56514996778.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.175584078 CET499675651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:36.216144085 CET46549965111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.216212988 CET49965465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.797187090 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.902024031 CET5555550040111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:36.902097940 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.902158976 CET5004055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.969388008 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:36.994821072 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:37.023222923 CET5555550040111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:37.115106106 CET5555550049111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:37.115417957 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:37.115900040 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:37.117117882 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:37.235857964 CET5555550049111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:37.237154007 CET5555550049111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:37.813065052 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:37.969362020 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.093365908 CET565150042111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.093446970 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.093549013 CET500425651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.204523087 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.214026928 CET565150042111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.324604988 CET565150053111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.324672937 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.328636885 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.328664064 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.448842049 CET565150053111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.448857069 CET565150053111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.524666071 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:38.644607067 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.644685030 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:38.645473003 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:38.645688057 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:38.651762009 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:38.654701948 CET5555550047111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.656938076 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.656980038 CET5004755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.740554094 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.765394926 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.765718937 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.765759945 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.776959896 CET5555550047111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.814467907 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.829262018 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.860513926 CET5555550055111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.861789942 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.863217115 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.863217115 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.969500065 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:38.983273029 CET5555550055111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:38.983285904 CET5555550055111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.704305887 CET5555550049111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.704366922 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.704477072 CET5004955555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.724419117 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.728003979 CET56555005495.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.729747057 CET500545655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:39.824419975 CET5555550049111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.828552008 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.844357014 CET5555550058111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.847824097 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.848814964 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.851953030 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.968893051 CET5555550058111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:39.969397068 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:39.971961975 CET5555550058111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:40.844224930 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:40.921325922 CET565150053111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:40.921391964 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:40.921431065 CET500535651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:40.927581072 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:40.969409943 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.040117979 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.041490078 CET565150053111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.047533989 CET565150062111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.047604084 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.056838989 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.056873083 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.160089970 CET565150064111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.160168886 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.160772085 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.160840034 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.176759958 CET565150062111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.176773071 CET565150062111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.281814098 CET565150064111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.281827927 CET565150064111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.524506092 CET5555550055111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.524719000 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.525238037 CET5005555555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.619541883 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.645087957 CET5555550055111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.739613056 CET5555550066111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.741797924 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.742389917 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.745714903 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:41.860089064 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.862281084 CET5555550066111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.865614891 CET5555550066111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:41.969368935 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.470216990 CET5555550058111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.470417976 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.470462084 CET5005855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.568624020 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.590531111 CET5555550058111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.688729048 CET5555550070111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.688822985 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.689996958 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.690013885 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:42.810220003 CET5555550070111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.810240984 CET5555550070111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.875725031 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:42.969367027 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.807236910 CET565150062111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:43.809767962 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.809789896 CET500625651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.882332087 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.916012049 CET565150064111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:43.916243076 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:43.917821884 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.918195963 CET500645651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.929723024 CET565150062111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:43.969413042 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:43.993484974 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.002439022 CET565150073111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.002898932 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.009310961 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.009335041 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.038225889 CET565150064111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.082529068 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:44.114023924 CET565150074111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.117799997 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.118252993 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.118262053 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.129317045 CET565150073111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.129357100 CET565150073111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.202609062 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.203036070 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:44.208961964 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:44.208961964 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:44.209813118 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:44.238235950 CET565150074111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.238282919 CET565150074111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.329016924 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.329039097 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.329051018 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.370397091 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.377027988 CET5555550066111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.377103090 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.377131939 CET5006655555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.428749084 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.470204115 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.470266104 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.471442938 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.497078896 CET5555550066111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.540764093 CET50079465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.540829897 CET500805651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.543064117 CET500818080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.548942089 CET5555550078111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.549784899 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.550103903 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.553731918 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.630558014 CET80805002178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.630569935 CET56515002378.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.634386063 CET46550022111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.661317110 CET46550079111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.661364079 CET56515008078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.661756992 CET50079465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.662177086 CET500805651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.662290096 CET50079465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.662303925 CET50079465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:44.662571907 CET500805651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.662692070 CET500805651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.663511038 CET80805008178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.663580894 CET500818080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.666809082 CET500818080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.666846991 CET500818080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:44.670789957 CET5555550078111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.673772097 CET5555550078111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.782324076 CET46550079111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.782349110 CET46550079111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.782434940 CET56515008078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.782582045 CET56515008078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.786919117 CET80805008178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.786930084 CET80805008178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.906480074 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:44.969505072 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.249233007 CET56555007595.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.249347925 CET500755655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:45.312576056 CET5555550070111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.313371897 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.313371897 CET5007055555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.412731886 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.433404922 CET5555550070111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.532632113 CET5555550084111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.532730103 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.533519030 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.533535004 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:45.653471947 CET5555550084111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.653492928 CET5555550084111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.922720909 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:45.969484091 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.594871044 CET565150073111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.595765114 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.595808029 CET500735651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.619757891 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.715821028 CET565150073111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.739784002 CET565150087111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.739936113 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.741355896 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.741372108 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.746226072 CET565150074111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.746289015 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.746381044 CET500745651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.835684061 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.861320972 CET565150087111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.861336946 CET565150087111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.866624117 CET565150074111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.940438986 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.956953049 CET565150089111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:46.957020044 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.957894087 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:46.957911968 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.077857018 CET565150089111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.077871084 CET565150089111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.156999111 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.213355064 CET5555550078111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.213411093 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.213443041 CET5007855555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.278460026 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.333384037 CET5555550078111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.398472071 CET5555550091111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.401820898 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.402062893 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.402075052 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:47.522006989 CET5555550091111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.522022009 CET5555550091111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:47.953711987 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.127366066 CET5555550084111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.129859924 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.129859924 CET5008455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.154954910 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.156897068 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.249897957 CET5555550084111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.274930000 CET5555550094111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.275028944 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.281738997 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.281769991 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:48.402862072 CET5555550094111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.402904034 CET5555550094111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:48.953526020 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.156908989 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.377966881 CET565150087111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.378042936 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.378087997 CET500875651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.464240074 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.497987032 CET565150087111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.584382057 CET565150098111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.584458113 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.584897041 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.584928036 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.588032007 CET565150089111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.588093042 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.588140011 CET500895651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.658631086 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:49.680257082 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.704876900 CET565150098111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.704894066 CET565150098111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.708045006 CET565150089111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.778803110 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.778902054 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:49.779525042 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:49.779560089 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:49.780541897 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:49.800308943 CET565150100111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.800385952 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.800823927 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.800836086 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:49.899785042 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.899843931 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.899883986 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.920830965 CET565150100111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.920855999 CET565150100111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.946372986 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:49.968983889 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.031502008 CET5555550091111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.031573057 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.031779051 CET5009155555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.115576982 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.151788950 CET5555550091111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.156946898 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.236396074 CET5555550102111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.236491919 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.237665892 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.237719059 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.358241081 CET5555550102111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.358258009 CET5555550102111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.891164064 CET56555009995.213.205.83192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.891985893 CET500995655192.168.2.495.213.205.83
                                                                                                                          Dec 3, 2024 12:37:50.899748087 CET5555550094111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.899878979 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.902539015 CET5009455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:50.985279083 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:50.991298914 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:51.023288012 CET5555550094111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.111522913 CET5555550104111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.113835096 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:51.114047050 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:51.114061117 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:51.156965017 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:51.234002113 CET5555550104111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.234019041 CET5555550104111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.347970963 CET56515002378.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.348026991 CET500235651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:51.388508081 CET80805002178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.389771938 CET500218080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:51.419640064 CET46550022111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:51.420139074 CET50022465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:52.000179052 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:52.156905890 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:52.220283985 CET565150098111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:52.220392942 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:52.393101931 CET565150100111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:52.393270016 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:52.877422094 CET5555550102111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:52.880017996 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:53.016011000 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:53.157068014 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:53.775166988 CET5555550104111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:53.775223970 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:54.031759977 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:54.157006979 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:55.047240973 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:55.094389915 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:56.062911034 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:56.110018969 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:57.078866005 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:57.125638008 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:58.094160080 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:58.141275883 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.110564947 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:37:59.156922102 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.920748949 CET50079465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.921715021 CET500805651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:59.922167063 CET500818080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:59.922507048 CET500985651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.923108101 CET501005651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.923815012 CET5010255555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.924568892 CET5010455555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.978347063 CET501255651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.978432894 CET50126465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.981729031 CET5012755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:37:59.981929064 CET501288080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:37:59.982017994 CET501295651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.042360067 CET565150098111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.042954922 CET565150100111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.043796062 CET5555550102111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.044528008 CET5555550104111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.082535028 CET80805008178.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.082551003 CET56515008078.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.082561016 CET46550079111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.098419905 CET565150125111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.098437071 CET46550126111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.098496914 CET501255651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.098537922 CET50126465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.101612091 CET5555550127111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.101665020 CET5012755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.101778984 CET80805012878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.101831913 CET501288080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.101839066 CET56515012978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.101886034 CET501295651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.108851910 CET501255651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.108886957 CET501255651192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.108891010 CET50126465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.108920097 CET5012755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.108921051 CET50126465192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.108928919 CET5012755555192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.109009981 CET501288080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.109045029 CET501288080192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.109045982 CET501295651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.109069109 CET501295651192.168.2.478.138.9.142
                                                                                                                          Dec 3, 2024 12:38:00.125498056 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.172532082 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:00.228892088 CET565150125111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.228918076 CET565150125111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.228952885 CET46550126111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229005098 CET5555550127111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229048014 CET46550126111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229161024 CET5555550127111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229221106 CET80805012878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229237080 CET80805012878.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229248047 CET56515012978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:00.229279041 CET56515012978.138.9.142192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:01.142304897 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:01.188158989 CET4980680192.168.2.4111.90.147.125
                                                                                                                          Dec 3, 2024 12:38:02.156269073 CET8049806111.90.147.125192.168.2.4
                                                                                                                          Dec 3, 2024 12:38:02.203912020 CET4980680192.168.2.4111.90.147.125

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Dec 3, 2024 12:36:18.335485935 CET5872753192.168.2.41.1.1.1
                                                                                                                          Dec 3, 2024 12:36:19.108370066 CET53587271.1.1.1192.168.2.4

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Dec 3, 2024 12:36:18.335485935 CET192.168.2.41.1.1.10x8e7bStandard query (0)id72.internetid.ruA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Dec 3, 2024 12:35:56.698596001 CET1.1.1.1192.168.2.40x7e8bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:35:56.698596001 CET1.1.1.1192.168.2.40x7e8bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:06.722222090 CET1.1.1.1192.168.2.40xeacNo error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:14.154189110 CET1.1.1.1192.168.2.40xfd05No error (0)prod.globalsign.map.fastly.net151.101.2.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:14.154189110 CET1.1.1.1192.168.2.40xfd05No error (0)prod.globalsign.map.fastly.net151.101.130.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:14.154189110 CET1.1.1.1192.168.2.40xfd05No error (0)prod.globalsign.map.fastly.net151.101.194.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:14.154189110 CET1.1.1.1192.168.2.40xfd05No error (0)prod.globalsign.map.fastly.net151.101.66.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:16.474224091 CET1.1.1.1192.168.2.40xd974No error (0)prod.globalsign.map.fastly.net151.101.194.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:16.474224091 CET1.1.1.1192.168.2.40xd974No error (0)prod.globalsign.map.fastly.net151.101.66.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:16.474224091 CET1.1.1.1192.168.2.40xd974No error (0)prod.globalsign.map.fastly.net151.101.2.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:16.474224091 CET1.1.1.1192.168.2.40xd974No error (0)prod.globalsign.map.fastly.net151.101.130.133A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:19.108370066 CET1.1.1.1192.168.2.40x8e7bNo error (0)id72.internetid.rumain.internetid.ruCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:36:19.108370066 CET1.1.1.1192.168.2.40x8e7bNo error (0)main.internetid.ru95.213.205.83A (IP address)IN (0x0001)false
                                                                                                                          Dec 3, 2024 12:37:03.193897009 CET1.1.1.1192.168.2.40xb23bNo error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449806111.90.147.125806120C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Dec 3, 2024 12:36:13.251187086 CET6OUTData Raw: 00 00 00 07
                                                                                                                          Data Ascii:
                                                                                                                          Dec 3, 2024 12:36:13.251187086 CET6OUTData Raw: 00 00 00 03
                                                                                                                          Data Ascii:
                                                                                                                          Dec 3, 2024 12:36:14.804249048 CET4INData Raw: 00 01 12 7e
                                                                                                                          Data Ascii: ~
                                                                                                                          Dec 3, 2024 12:36:14.804464102 CET6OUTData Raw: 00 01 12 7e
                                                                                                                          Data Ascii: ~
                                                                                                                          Dec 3, 2024 12:36:14.804488897 CET6OUTData Raw: 00 00 00 01
                                                                                                                          Data Ascii:
                                                                                                                          Dec 3, 2024 12:36:14.804564953 CET6OUTData Raw: 2d 2d 0d 0a
                                                                                                                          Data Ascii: --
                                                                                                                          Dec 3, 2024 12:36:14.804582119 CET6OUTData Raw: 00 00 00 2e
                                                                                                                          Data Ascii: .
                                                                                                                          Dec 3, 2024 12:36:14.804610968 CET46OUTData Raw: 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 20 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 32 00 32 00 36 00 35 00 34 00 36 00 22 00
                                                                                                                          Data Ascii: "Computer name: 226546"
                                                                                                                          Dec 3, 2024 12:36:15.638190985 CET4INData Raw: 00 00 00 00
                                                                                                                          Data Ascii:
                                                                                                                          Dec 3, 2024 12:36:16.641808033 CET4INData Raw: 00 00 00 00
                                                                                                                          Data Ascii:


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:06:35:45
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Users\user\Desktop\442.docx.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\Desktop\442.docx.exe"
                                                                                                                          Imagebase:0x7ff69d3d0000
                                                                                                                          File size:25'141'051 bytes
                                                                                                                          MD5 hash:FB8117B1A3F0924100FBC209DBBB1BB1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:06:35:46
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                                                                                                                          Imagebase:0x7ff698970000
                                                                                                                          File size:69'632 bytes
                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:06:35:47
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                          Imagebase:0x7ff698970000
                                                                                                                          File size:69'632 bytes
                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:06:35:47
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                                                                                                                          Imagebase:0x3c0000
                                                                                                                          File size:1'620'872 bytes
                                                                                                                          MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:06:35:48
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding DC073261611BDBF652B83E82DB7E8329
                                                                                                                          Imagebase:0x6b0000
                                                                                                                          File size:59'904 bytes
                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:06:35:50
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Windows\System32\sppsvc.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                          Imagebase:0x7ff758d50000
                                                                                                                          File size:4'630'384 bytes
                                                                                                                          MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:06:35:50
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                                          File size:55'320 bytes
                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:06:35:59
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                                                                                                                          Imagebase:0x270000
                                                                                                                          File size:11'132'168 bytes
                                                                                                                          MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000B.00000000.1848835790.0000000000D25000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 13%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:06:36:02
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                                                                                                                          Imagebase:0xab0000
                                                                                                                          File size:21'764'872 bytes
                                                                                                                          MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000C.00000000.1894913988.0000000001F71000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 12%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:06:36:06
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                                          Imagebase:0xab0000
                                                                                                                          File size:21'764'872 bytes
                                                                                                                          MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:06:36:08
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                                                                                                                          Imagebase:0xab0000
                                                                                                                          File size:21'764'872 bytes
                                                                                                                          MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:06:36:09
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                                                                                                                          Imagebase:0xab0000
                                                                                                                          File size:21'764'872 bytes
                                                                                                                          MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000003.1974630728.0000000007B3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000002.2988939881.0000000002698000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:18
                                                                                                                          Start time:06:36:11
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                                          Imagebase:0xab0000
                                                                                                                          File size:21'764'872 bytes
                                                                                                                          MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:06:36:12
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                                                                                                                          Imagebase:0x270000
                                                                                                                          File size:11'132'168 bytes
                                                                                                                          MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.2974268243.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.2974268243.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:06:36:12
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                                          Imagebase:0x270000
                                                                                                                          File size:11'132'168 bytes
                                                                                                                          MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.2977786114.0000000002E4A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.2977786114.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.2990838666.0000000004A84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.2990838666.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:06:36:21
                                                                                                                          Start date:03/12/2024
                                                                                                                          Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                                          Imagebase:0x270000
                                                                                                                          File size:11'132'168 bytes
                                                                                                                          MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:12%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:25.9%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:27
                                                                                                                            execution_graph 25869 7ff69d401491 25870 7ff69d4013c9 25869->25870 25872 7ff69d401900 25870->25872 25898 7ff69d401558 25872->25898 25875 7ff69d40198b 25876 7ff69d401868 DloadReleaseSectionWriteAccess 6 API calls 25875->25876 25877 7ff69d401998 RaiseException 25876->25877 25878 7ff69d401bb5 25877->25878 25878->25870 25879 7ff69d4019b4 25880 7ff69d401a3d LoadLibraryExA 25879->25880 25881 7ff69d401b85 25879->25881 25883 7ff69d401aa9 25879->25883 25884 7ff69d401abd 25879->25884 25882 7ff69d401a54 GetLastError 25880->25882 25880->25883 25906 7ff69d401868 25881->25906 25886 7ff69d401a7e 25882->25886 25887 7ff69d401a69 25882->25887 25883->25884 25888 7ff69d401ab4 FreeLibrary 25883->25888 25884->25881 25885 7ff69d401b1b GetProcAddress 25884->25885 25885->25881 25891 7ff69d401b30 GetLastError 25885->25891 25890 7ff69d401868 DloadReleaseSectionWriteAccess 6 API calls 25886->25890 25887->25883 25887->25886 25888->25884 25892 7ff69d401a8b RaiseException 25890->25892 25893 7ff69d401b45 25891->25893 25892->25878 25893->25881 25894 7ff69d401868 DloadReleaseSectionWriteAccess 6 API calls 25893->25894 25895 7ff69d401b67 RaiseException 25894->25895 25896 7ff69d401558 _com_raise_error 6 API calls 25895->25896 25897 7ff69d401b81 25896->25897 25897->25881 25899 7ff69d40156e 25898->25899 25900 7ff69d4015d3 25898->25900 25914 7ff69d401604 25899->25914 25900->25875 25900->25879 25903 7ff69d4015ce 25905 7ff69d401604 DloadReleaseSectionWriteAccess 3 API calls 25903->25905 25905->25900 25907 7ff69d401878 25906->25907 25913 7ff69d4018d1 25906->25913 25908 7ff69d401604 DloadReleaseSectionWriteAccess 3 API calls 25907->25908 25909 7ff69d40187d 25908->25909 25910 7ff69d4018cc 25909->25910 25911 7ff69d4017d8 DloadProtectSection 3 API calls 25909->25911 25912 7ff69d401604 DloadReleaseSectionWriteAccess 3 API calls 25910->25912 25911->25910 25912->25913 25913->25878 25915 7ff69d401573 25914->25915 25916 7ff69d40161f 25914->25916 25915->25903 25921 7ff69d4017d8 25915->25921 25916->25915 25917 7ff69d401624 GetModuleHandleW 25916->25917 25918 7ff69d40163e GetProcAddress 25917->25918 25919 7ff69d401639 25917->25919 25918->25919 25920 7ff69d401653 GetProcAddress 25918->25920 25919->25915 25920->25919 25922 7ff69d4017fa DloadProtectSection 25921->25922 25923 7ff69d40183a VirtualProtect 25922->25923 25924 7ff69d401802 25922->25924 25926 7ff69d4016a4 VirtualQuery GetSystemInfo 25922->25926 25923->25924 25924->25903 25926->25923 25927 7ff69d3fb190 26270 7ff69d3d255c 25927->26270 25929 7ff69d3fb1db 25930 7ff69d3fbe93 25929->25930 25931 7ff69d3fb1ef 25929->25931 26085 7ff69d3fb20c 25929->26085 26555 7ff69d3ff390 25930->26555 25934 7ff69d3fb1ff 25931->25934 25935 7ff69d3fb2db 25931->25935 25931->26085 25939 7ff69d3fb2a9 25934->25939 25940 7ff69d3fb207 25934->25940 25942 7ff69d3fb391 25935->25942 25947 7ff69d3fb2f5 25935->25947 25937 7ff69d3fbeba SendMessageW 25938 7ff69d3fbec9 25937->25938 25944 7ff69d3fbed5 SendDlgItemMessageW 25938->25944 25945 7ff69d3fbef0 GetDlgItem SendMessageW 25938->25945 25946 7ff69d3fb2cb EndDialog 25939->25946 25939->26085 25950 7ff69d3eaae0 48 API calls 25940->25950 25940->26085 26278 7ff69d3d22bc GetDlgItem 25942->26278 25944->25945 26574 7ff69d3e62dc GetCurrentDirectoryW 25945->26574 25946->26085 25951 7ff69d3eaae0 48 API calls 25947->25951 25953 7ff69d3fb236 25950->25953 25954 7ff69d3fb313 SetDlgItemTextW 25951->25954 25952 7ff69d3fbf47 GetDlgItem 26584 7ff69d3d2520 25952->26584 26588 7ff69d3d1ec4 34 API calls _handle_error 25953->26588 25959 7ff69d3fb326 25954->25959 25957 7ff69d3fb3f5 25974 7ff69d3fbcc5 25957->25974 26095 7ff69d3fb3b1 EndDialog 25957->26095 25958 7ff69d3fb408 GetDlgItem 25960 7ff69d3fb422 SendMessageW SendMessageW 25958->25960 25961 7ff69d3fb44f SetFocus 25958->25961 25965 7ff69d3fb340 GetMessageW 25959->25965 25959->26085 25960->25961 25966 7ff69d3fb465 25961->25966 25967 7ff69d3fb4f2 25961->25967 25964 7ff69d3fb246 25970 7ff69d3fb25c 25964->25970 26589 7ff69d3d250c 25964->26589 25972 7ff69d3fb35e IsDialogMessageW 25965->25972 25965->26085 25973 7ff69d3eaae0 48 API calls 25966->25973 26292 7ff69d3d8d04 25967->26292 25968 7ff69d3fb3da 25975 7ff69d3d1fa0 31 API calls 25968->25975 25985 7ff69d3fc363 25970->25985 25970->26085 25972->25959 25979 7ff69d3fb373 TranslateMessage DispatchMessageW 25972->25979 25980 7ff69d3fb46f 25973->25980 25981 7ff69d3eaae0 48 API calls 25974->25981 25975->26085 25978 7ff69d3fb52c 26302 7ff69d3fef80 25978->26302 25979->25959 26592 7ff69d3d129c 25980->26592 25986 7ff69d3fbcd6 SetDlgItemTextW 25981->25986 26649 7ff69d407904 25985->26649 25989 7ff69d3eaae0 48 API calls 25986->25989 25995 7ff69d3fbd08 25989->25995 26012 7ff69d3d129c 33 API calls 25995->26012 25996 7ff69d3fc368 26005 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 25996->26005 25999 7ff69d3fb498 26003 7ff69d3ff0a4 24 API calls 25999->26003 26010 7ff69d3fb4a5 26003->26010 26013 7ff69d3fc36e 26005->26013 26010->25996 26033 7ff69d3fb4e8 26010->26033 26039 7ff69d3fbd31 26012->26039 26023 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26013->26023 26022 7ff69d3fbdda 26025 7ff69d3eaae0 48 API calls 26022->26025 26026 7ff69d3fc374 26023->26026 26034 7ff69d3fbde4 26025->26034 26044 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26026->26044 26029 7ff69d3d1fa0 31 API calls 26037 7ff69d3fb586 26029->26037 26032 7ff69d3fb5ec 26042 7ff69d3fb61a 26032->26042 26603 7ff69d3e32a8 26032->26603 26033->26032 26602 7ff69d3ffa80 33 API calls 2 library calls 26033->26602 26054 7ff69d3d129c 33 API calls 26034->26054 26037->26013 26037->26033 26039->26022 26049 7ff69d3d129c 33 API calls 26039->26049 26340 7ff69d3e2f58 26042->26340 26048 7ff69d3fc37a 26044->26048 26061 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26048->26061 26055 7ff69d3fbd7f 26049->26055 26060 7ff69d3fbe0d 26054->26060 26063 7ff69d3eaae0 48 API calls 26055->26063 26058 7ff69d3fb634 GetLastError 26059 7ff69d3fb64c 26058->26059 26352 7ff69d3e7fc4 26059->26352 26077 7ff69d3d129c 33 API calls 26060->26077 26067 7ff69d3fc380 26061->26067 26068 7ff69d3fbd8a 26063->26068 26065 7ff69d3fb60e 26606 7ff69d3f9d90 12 API calls _handle_error 26065->26606 26078 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26067->26078 26073 7ff69d3d1150 33 API calls 26068->26073 26071 7ff69d3fb65e 26075 7ff69d3fb665 GetLastError 26071->26075 26076 7ff69d3fb674 26071->26076 26079 7ff69d3fbda2 26073->26079 26075->26076 26081 7ff69d3fb71c 26076->26081 26086 7ff69d3fb72b 26076->26086 26087 7ff69d3fb68b GetTickCount 26076->26087 26082 7ff69d3fbe4e 26077->26082 26083 7ff69d3fc386 26078->26083 26636 7ff69d3d2034 26079->26636 26081->26086 26103 7ff69d3fbb79 26081->26103 26096 7ff69d3d1fa0 31 API calls 26082->26096 26088 7ff69d3d255c 61 API calls 26083->26088 26640 7ff69d402320 26085->26640 26092 7ff69d3fba50 26086->26092 26607 7ff69d3e6454 26086->26607 26355 7ff69d3d4228 26087->26355 26091 7ff69d3fc3e4 26088->26091 26097 7ff69d3fc3e8 26091->26097 26106 7ff69d3fc489 GetDlgItem SetFocus 26091->26106 26135 7ff69d3fc3fd 26091->26135 26092->26095 26631 7ff69d3dbd0c 33 API calls 26092->26631 26093 7ff69d3fbdbe 26101 7ff69d3d1fa0 31 API calls 26093->26101 26095->25968 26104 7ff69d3fbe78 26096->26104 26114 7ff69d402320 _handle_error 8 API calls 26097->26114 26109 7ff69d3fbdcc 26101->26109 26119 7ff69d3eaae0 48 API calls 26103->26119 26112 7ff69d3d1fa0 31 API calls 26104->26112 26105 7ff69d3fba75 26632 7ff69d3d1150 26105->26632 26110 7ff69d3fc4ba 26106->26110 26108 7ff69d3fb74e 26619 7ff69d3eb914 102 API calls 26108->26619 26117 7ff69d3d1fa0 31 API calls 26109->26117 26124 7ff69d3d129c 33 API calls 26110->26124 26111 7ff69d3fb6ba 26365 7ff69d3d1fa0 26111->26365 26120 7ff69d3fbe83 26112->26120 26122 7ff69d3fca97 26114->26122 26117->26022 26126 7ff69d3fbba7 SetDlgItemTextW 26119->26126 26127 7ff69d3d1fa0 31 API calls 26120->26127 26121 7ff69d3fba8a 26128 7ff69d3eaae0 48 API calls 26121->26128 26123 7ff69d3fb768 26130 7ff69d3eda98 48 API calls 26123->26130 26132 7ff69d3fc4cc 26124->26132 26125 7ff69d3fb6c8 26370 7ff69d3e2134 26125->26370 26133 7ff69d3d2534 26126->26133 26127->25968 26134 7ff69d3fba97 26128->26134 26129 7ff69d3fc434 SendDlgItemMessageW 26136 7ff69d3fc454 26129->26136 26137 7ff69d3fc45d EndDialog 26129->26137 26131 7ff69d3fb7aa GetCommandLineW 26130->26131 26138 7ff69d3fb84f 26131->26138 26139 7ff69d3fb869 26131->26139 26654 7ff69d3e80d8 33 API calls 26132->26654 26141 7ff69d3fbbc5 SetDlgItemTextW GetDlgItem 26133->26141 26142 7ff69d3d1150 33 API calls 26134->26142 26135->26097 26135->26129 26136->26137 26137->26097 26620 7ff69d3d20b0 26138->26620 26624 7ff69d3fab54 33 API calls _handle_error 26139->26624 26146 7ff69d3fbc13 26141->26146 26147 7ff69d3fbbf0 GetWindowLongPtrW SetWindowLongPtrW 26141->26147 26148 7ff69d3fbaaa 26142->26148 26143 7ff69d3fc4e0 26149 7ff69d3d250c SetDlgItemTextW 26143->26149 26390 7ff69d3fce88 26146->26390 26147->26146 26153 7ff69d3d1fa0 31 API calls 26148->26153 26155 7ff69d3fc4f4 26149->26155 26150 7ff69d3fb87a 26625 7ff69d3fab54 33 API calls _handle_error 26150->26625 26160 7ff69d3fbab5 26153->26160 26165 7ff69d3fc526 SendDlgItemMessageW FindFirstFileW 26155->26165 26157 7ff69d3fb6f5 GetLastError 26158 7ff69d3fb704 26157->26158 26386 7ff69d3e204c 26158->26386 26164 7ff69d3d1fa0 31 API calls 26160->26164 26161 7ff69d3fb88b 26626 7ff69d3fab54 33 API calls _handle_error 26161->26626 26163 7ff69d3fce88 160 API calls 26168 7ff69d3fbc3c 26163->26168 26169 7ff69d3fbac3 26164->26169 26170 7ff69d3fc57b 26165->26170 26263 7ff69d3fca04 26165->26263 26540 7ff69d3ff974 26168->26540 26179 7ff69d3eaae0 48 API calls 26169->26179 26180 7ff69d3eaae0 48 API calls 26170->26180 26171 7ff69d3fb89c 26627 7ff69d3eb9b4 102 API calls 26171->26627 26176 7ff69d3fb8b3 26628 7ff69d3ffbdc 33 API calls 26176->26628 26177 7ff69d3fca81 26177->26097 26178 7ff69d3fce88 160 API calls 26193 7ff69d3fbc6a 26178->26193 26183 7ff69d3fbadb 26179->26183 26184 7ff69d3fc59e 26180->26184 26182 7ff69d3fcaa9 26186 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26182->26186 26194 7ff69d3d129c 33 API calls 26183->26194 26195 7ff69d3d129c 33 API calls 26184->26195 26185 7ff69d3fb8d2 CreateFileMappingW 26189 7ff69d3fb953 ShellExecuteExW 26185->26189 26190 7ff69d3fb911 MapViewOfFile 26185->26190 26191 7ff69d3fcaae 26186->26191 26187 7ff69d3fbc96 26554 7ff69d3d2298 GetDlgItem EnableWindow 26187->26554 26210 7ff69d3fb974 26189->26210 26629 7ff69d403640 26190->26629 26196 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26191->26196 26193->26187 26197 7ff69d3fce88 160 API calls 26193->26197 26202 7ff69d3fbb04 26194->26202 26198 7ff69d3fc5cd 26195->26198 26199 7ff69d3fcab4 26196->26199 26197->26187 26200 7ff69d3d1150 33 API calls 26198->26200 26205 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26199->26205 26203 7ff69d3fc5e8 26200->26203 26201 7ff69d3fbb5a 26206 7ff69d3d1fa0 31 API calls 26201->26206 26202->26048 26202->26201 26655 7ff69d3de164 33 API calls 2 library calls 26203->26655 26204 7ff69d3fb9c3 26211 7ff69d3fb9ef 26204->26211 26212 7ff69d3fb9dc UnmapViewOfFile CloseHandle 26204->26212 26208 7ff69d3fcaba 26205->26208 26206->26095 26213 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26208->26213 26209 7ff69d3fc5ff 26215 7ff69d3d1fa0 31 API calls 26209->26215 26210->26204 26219 7ff69d3fb9b1 Sleep 26210->26219 26211->26026 26214 7ff69d3fba25 26211->26214 26212->26211 26216 7ff69d3fcac0 26213->26216 26217 7ff69d3d1fa0 31 API calls 26214->26217 26218 7ff69d3fc60c 26215->26218 26221 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26216->26221 26220 7ff69d3fba42 26217->26220 26218->26191 26223 7ff69d3d1fa0 31 API calls 26218->26223 26219->26204 26219->26210 26222 7ff69d3d1fa0 31 API calls 26220->26222 26224 7ff69d3fcac6 26221->26224 26222->26092 26225 7ff69d3fc673 26223->26225 26228 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26224->26228 26226 7ff69d3d250c SetDlgItemTextW 26225->26226 26227 7ff69d3fc687 FindClose 26226->26227 26229 7ff69d3fc6a3 26227->26229 26230 7ff69d3fc797 SendDlgItemMessageW 26227->26230 26231 7ff69d3fcacc 26228->26231 26656 7ff69d3fa2cc 10 API calls _handle_error 26229->26656 26233 7ff69d3fc7cb 26230->26233 26236 7ff69d3eaae0 48 API calls 26233->26236 26234 7ff69d3fc6c6 26235 7ff69d3eaae0 48 API calls 26234->26235 26237 7ff69d3fc6cf 26235->26237 26238 7ff69d3fc7d8 26236->26238 26239 7ff69d3eda98 48 API calls 26237->26239 26240 7ff69d3d129c 33 API calls 26238->26240 26245 7ff69d3fc6ec BuildCatchObjectHelperInternal 26239->26245 26242 7ff69d3fc807 26240->26242 26241 7ff69d3d1fa0 31 API calls 26243 7ff69d3fc783 26241->26243 26244 7ff69d3d1150 33 API calls 26242->26244 26246 7ff69d3d250c SetDlgItemTextW 26243->26246 26247 7ff69d3fc822 26244->26247 26245->26199 26245->26241 26246->26230 26657 7ff69d3de164 33 API calls 2 library calls 26247->26657 26249 7ff69d3fc839 26250 7ff69d3d1fa0 31 API calls 26249->26250 26251 7ff69d3fc845 BuildCatchObjectHelperInternal 26250->26251 26252 7ff69d3d1fa0 31 API calls 26251->26252 26253 7ff69d3fc87f 26252->26253 26254 7ff69d3d1fa0 31 API calls 26253->26254 26255 7ff69d3fc88c 26254->26255 26255->26208 26256 7ff69d3d1fa0 31 API calls 26255->26256 26257 7ff69d3fc8f3 26256->26257 26258 7ff69d3d250c SetDlgItemTextW 26257->26258 26259 7ff69d3fc907 26258->26259 26259->26263 26658 7ff69d3fa2cc 10 API calls _handle_error 26259->26658 26261 7ff69d3fc932 26262 7ff69d3eaae0 48 API calls 26261->26262 26264 7ff69d3fc93c 26262->26264 26263->26097 26263->26177 26263->26182 26263->26224 26265 7ff69d3eda98 48 API calls 26264->26265 26267 7ff69d3fc959 BuildCatchObjectHelperInternal 26265->26267 26266 7ff69d3d1fa0 31 API calls 26268 7ff69d3fc9f0 26266->26268 26267->26216 26267->26266 26269 7ff69d3d250c SetDlgItemTextW 26268->26269 26269->26263 26271 7ff69d3d25d0 26270->26271 26272 7ff69d3d256a 26270->26272 26271->25929 26272->26271 26659 7ff69d3ea4ac 26272->26659 26274 7ff69d3d258f 26274->26271 26275 7ff69d3d25a4 GetDlgItem 26274->26275 26275->26271 26276 7ff69d3d25b7 26275->26276 26276->26271 26277 7ff69d3d25be SetWindowTextW 26276->26277 26277->26271 26279 7ff69d3d2334 26278->26279 26280 7ff69d3d22fc 26278->26280 26758 7ff69d3d23f8 GetWindowTextLengthW 26279->26758 26282 7ff69d3d129c 33 API calls 26280->26282 26283 7ff69d3d232a BuildCatchObjectHelperInternal 26282->26283 26284 7ff69d3d1fa0 31 API calls 26283->26284 26286 7ff69d3d2389 26283->26286 26284->26286 26285 7ff69d402320 _handle_error 8 API calls 26288 7ff69d3d23dd 26285->26288 26287 7ff69d3d23c8 26286->26287 26289 7ff69d3d23f0 26286->26289 26287->26285 26288->25957 26288->25958 26288->26095 26290 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26289->26290 26291 7ff69d3d23f5 26290->26291 26293 7ff69d3d8d34 26292->26293 26300 7ff69d3d8de8 26292->26300 26295 7ff69d3d8d42 BuildCatchObjectHelperInternal 26293->26295 26297 7ff69d3d8de3 26293->26297 26298 7ff69d3d8d91 26293->26298 26295->25978 26793 7ff69d3d1f80 33 API calls 3 library calls 26297->26793 26298->26295 26301 7ff69d4021d0 33 API calls 26298->26301 26794 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26300->26794 26301->26295 26307 7ff69d3fefb0 26302->26307 26303 7ff69d402320 _handle_error 8 API calls 26304 7ff69d3fb537 26303->26304 26316 7ff69d3eaae0 26304->26316 26305 7ff69d3fefd7 26305->26303 26307->26305 26795 7ff69d3dbd0c 33 API calls 26307->26795 26308 7ff69d3ff02a 26309 7ff69d3d1150 33 API calls 26308->26309 26310 7ff69d3ff03f 26309->26310 26311 7ff69d3d1fa0 31 API calls 26310->26311 26313 7ff69d3ff04f BuildCatchObjectHelperInternal 26310->26313 26311->26313 26312 7ff69d3d1fa0 31 API calls 26314 7ff69d3ff076 26312->26314 26313->26312 26315 7ff69d3d1fa0 31 API calls 26314->26315 26315->26305 26317 7ff69d3eaaf3 26316->26317 26796 7ff69d3e9774 26317->26796 26320 7ff69d3eab58 LoadStringW 26321 7ff69d3eab86 26320->26321 26322 7ff69d3eab71 LoadStringW 26320->26322 26323 7ff69d3eda98 26321->26323 26322->26321 26815 7ff69d3ed874 26323->26815 26326 7ff69d3ff0a4 26849 7ff69d3fae1c PeekMessageW 26326->26849 26329 7ff69d3ff143 SendMessageW SendMessageW 26331 7ff69d3ff1a4 SendMessageW 26329->26331 26332 7ff69d3ff189 26329->26332 26330 7ff69d3ff0f5 26333 7ff69d3ff101 ShowWindow SendMessageW SendMessageW 26330->26333 26334 7ff69d3ff1c3 26331->26334 26335 7ff69d3ff1c6 SendMessageW SendMessageW 26331->26335 26332->26331 26333->26329 26334->26335 26336 7ff69d3ff1f3 SendMessageW 26335->26336 26337 7ff69d3ff218 SendMessageW 26335->26337 26336->26337 26338 7ff69d402320 _handle_error 8 API calls 26337->26338 26339 7ff69d3fb578 26338->26339 26339->26029 26341 7ff69d3e309d 26340->26341 26348 7ff69d3e2f8e 26340->26348 26342 7ff69d402320 _handle_error 8 API calls 26341->26342 26343 7ff69d3e30b3 26342->26343 26343->26058 26343->26059 26344 7ff69d3e3077 26344->26341 26345 7ff69d3e3684 56 API calls 26344->26345 26345->26341 26346 7ff69d3d129c 33 API calls 26346->26348 26348->26344 26348->26346 26349 7ff69d3e30c8 26348->26349 26854 7ff69d3e3684 26348->26854 26350 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26349->26350 26351 7ff69d3e30cd 26350->26351 26353 7ff69d3e7fd2 SetCurrentDirectoryW 26352->26353 26354 7ff69d3e7fcf 26352->26354 26353->26071 26354->26353 26356 7ff69d3d4255 26355->26356 26357 7ff69d3d426a 26356->26357 26358 7ff69d3d129c 33 API calls 26356->26358 26359 7ff69d402320 _handle_error 8 API calls 26357->26359 26358->26357 26360 7ff69d3d42a1 26359->26360 26361 7ff69d3d3c84 26360->26361 26362 7ff69d3d3cab 26361->26362 26987 7ff69d3d710c 26362->26987 26364 7ff69d3d3cbb BuildCatchObjectHelperInternal 26364->26111 26366 7ff69d3d1fdc 26365->26366 26367 7ff69d3d1fb3 26365->26367 26366->26125 26367->26366 26368 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26367->26368 26369 7ff69d3d2000 26368->26369 26372 7ff69d3e216a 26370->26372 26371 7ff69d3e219e 26375 7ff69d3e227f 26371->26375 26376 7ff69d3e6a0c 49 API calls 26371->26376 26372->26371 26373 7ff69d3e21b1 CreateFileW 26372->26373 26373->26371 26374 7ff69d3e22af 26378 7ff69d402320 _handle_error 8 API calls 26374->26378 26375->26374 26381 7ff69d3d20b0 33 API calls 26375->26381 26377 7ff69d3e2209 26376->26377 26379 7ff69d3e220d CreateFileW 26377->26379 26380 7ff69d3e2246 26377->26380 26382 7ff69d3e22c4 26378->26382 26379->26380 26380->26375 26383 7ff69d3e22d8 26380->26383 26381->26374 26382->26157 26382->26158 26384 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26383->26384 26385 7ff69d3e22dd 26384->26385 26387 7ff69d3e2066 26386->26387 26388 7ff69d3e2072 26386->26388 26387->26388 26999 7ff69d3e20d0 26387->26999 27006 7ff69d3faa08 26390->27006 26392 7ff69d3fd1ee 26393 7ff69d3d1fa0 31 API calls 26392->26393 26394 7ff69d3fd1f7 26393->26394 26396 7ff69d402320 _handle_error 8 API calls 26394->26396 26395 7ff69d3ed22c 33 API calls 26515 7ff69d3fcf03 BuildCatchObjectHelperInternal 26395->26515 26397 7ff69d3fbc2b 26396->26397 26397->26163 26398 7ff69d3feefa 27139 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26398->27139 26401 7ff69d3fef00 27140 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26401->27140 26402 7ff69d3d129c 33 API calls 26402->26515 26404 7ff69d3fef06 26408 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26404->26408 26406 7ff69d3feeee 26407 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26406->26407 26409 7ff69d3feef4 26407->26409 26410 7ff69d3fef0c 26408->26410 27138 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26409->27138 26413 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26410->26413 26415 7ff69d3fef12 26413->26415 26414 7ff69d3fee4a 26416 7ff69d3feed2 26414->26416 26417 7ff69d3d20b0 33 API calls 26414->26417 26420 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26415->26420 27136 7ff69d3d1f80 33 API calls 3 library calls 26416->27136 26422 7ff69d3fee77 26417->26422 26418 7ff69d3feee8 27137 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26418->27137 26419 7ff69d3d13a4 33 API calls 26423 7ff69d3fdc3a GetTempPathW 26419->26423 26424 7ff69d3fef18 26420->26424 27135 7ff69d3fabe8 33 API calls 3 library calls 26422->27135 26423->26515 26431 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26424->26431 26425 7ff69d3e62dc 35 API calls 26425->26515 26429 7ff69d3fee8d 26439 7ff69d3d1fa0 31 API calls 26429->26439 26443 7ff69d3feea4 BuildCatchObjectHelperInternal 26429->26443 26430 7ff69d3d2520 SetWindowTextW 26430->26515 26433 7ff69d3fef1e 26431->26433 26441 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26433->26441 26434 7ff69d3d8d04 33 API calls 26434->26515 26436 7ff69d40bb8c 43 API calls 26436->26515 26437 7ff69d3d2034 33 API calls 26437->26515 26438 7ff69d3fe7f3 26438->26416 26438->26418 26442 7ff69d4021d0 33 API calls 26438->26442 26450 7ff69d3fe83b BuildCatchObjectHelperInternal 26438->26450 26439->26443 26440 7ff69d3d1fa0 31 API calls 26440->26416 26444 7ff69d3fef24 26441->26444 26442->26450 26443->26440 26449 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26444->26449 26446 7ff69d3d20b0 33 API calls 26446->26515 26447 7ff69d3faa08 33 API calls 26447->26515 26448 7ff69d3fef6c 27143 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26448->27143 26454 7ff69d3fef2a 26449->26454 26459 7ff69d3d20b0 33 API calls 26450->26459 26504 7ff69d3feb8f 26450->26504 26452 7ff69d3d1fa0 31 API calls 26452->26414 26453 7ff69d3fef78 27145 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26453->27145 26465 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26454->26465 26455 7ff69d3fef72 27144 7ff69d3d1f80 33 API calls 3 library calls 26455->27144 26457 7ff69d3e5820 33 API calls 26457->26515 26458 7ff69d3fef66 27142 7ff69d3d1f80 33 API calls 3 library calls 26458->27142 26466 7ff69d3fe963 26459->26466 26462 7ff69d3fed40 26462->26453 26462->26455 26482 7ff69d3fed3b BuildCatchObjectHelperInternal 26462->26482 26483 7ff69d4021d0 33 API calls 26462->26483 26464 7ff69d3fec2a 26464->26448 26464->26458 26472 7ff69d3fec72 BuildCatchObjectHelperInternal 26464->26472 26479 7ff69d4021d0 33 API calls 26464->26479 26464->26482 26469 7ff69d3fef30 26465->26469 26471 7ff69d3fef60 26466->26471 26478 7ff69d3d129c 33 API calls 26466->26478 26484 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26469->26484 26470 7ff69d3e3d34 51 API calls 26470->26515 27141 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26471->27141 27049 7ff69d3ff4e0 26472->27049 26474 7ff69d3fd5e9 GetDlgItem 26480 7ff69d3d2520 SetWindowTextW 26474->26480 26476 7ff69d3f99c8 31 API calls 26476->26515 26485 7ff69d3fe9a6 26478->26485 26479->26472 26486 7ff69d3fd608 SendMessageW 26480->26486 26482->26452 26483->26482 26490 7ff69d3fef36 26484->26490 27131 7ff69d3ed22c 26485->27131 26486->26515 26487 7ff69d3edc2c 33 API calls 26487->26515 26488 7ff69d3e32bc 51 API calls 26488->26515 26489 7ff69d3d2674 31 API calls 26489->26515 26494 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26490->26494 26493 7ff69d3e5b60 53 API calls 26493->26515 26499 7ff69d3fef3c 26494->26499 26495 7ff69d3e5aa8 33 API calls 26495->26515 26496 7ff69d3fd63c SendMessageW 26496->26515 26498 7ff69d3e3f30 54 API calls 26498->26515 26502 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26499->26502 26505 7ff69d3fef42 26502->26505 26504->26462 26504->26464 26506 7ff69d3fef5a 26504->26506 26526 7ff69d3fef54 26504->26526 26511 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26505->26511 26508 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26506->26508 26507 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26507->26506 26508->26471 26509 7ff69d3d4228 33 API calls 26509->26515 26514 7ff69d3fef48 26511->26514 26512 7ff69d3fe9d1 26512->26504 26512->26514 26519 7ff69d3fef4e 26512->26519 26520 7ff69d3d129c 33 API calls 26512->26520 26527 7ff69d3d1fa0 31 API calls 26512->26527 26529 7ff69d3f13c4 CompareStringW 26512->26529 26532 7ff69d3ed22c 33 API calls 26512->26532 26513 7ff69d3e32a8 51 API calls 26513->26515 26517 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26514->26517 26515->26392 26515->26395 26515->26398 26515->26401 26515->26402 26515->26404 26515->26406 26515->26409 26515->26410 26515->26414 26515->26415 26515->26419 26515->26424 26515->26425 26515->26430 26515->26433 26515->26434 26515->26436 26515->26437 26515->26438 26515->26444 26515->26446 26515->26447 26515->26454 26515->26457 26515->26469 26515->26470 26515->26476 26515->26487 26515->26488 26515->26489 26515->26490 26515->26493 26515->26495 26515->26496 26515->26498 26515->26499 26515->26505 26515->26509 26515->26513 26516 7ff69d3de164 33 API calls 26515->26516 26518 7ff69d3d250c SetDlgItemTextW 26515->26518 26523 7ff69d3d1150 33 API calls 26515->26523 26530 7ff69d3fdf99 EndDialog 26515->26530 26533 7ff69d3fdb21 MoveFileW 26515->26533 26537 7ff69d3e2f58 56 API calls 26515->26537 26539 7ff69d3d1fa0 31 API calls 26515->26539 27010 7ff69d3f13c4 CompareStringW 26515->27010 27011 7ff69d3fa440 26515->27011 27087 7ff69d3ecfa4 35 API calls _invalid_parameter_noinfo_noreturn 26515->27087 27088 7ff69d3f95b4 33 API calls Concurrency::cancel_current_task 26515->27088 27089 7ff69d400684 31 API calls _invalid_parameter_noinfo_noreturn 26515->27089 27090 7ff69d3ddf4c 47 API calls BuildCatchObjectHelperInternal 26515->27090 27091 7ff69d3fa834 33 API calls _invalid_parameter_noinfo_noreturn 26515->27091 27092 7ff69d3f9518 33 API calls 26515->27092 27093 7ff69d3fabe8 33 API calls 3 library calls 26515->27093 27094 7ff69d3e7368 33 API calls 2 library calls 26515->27094 27095 7ff69d3e4088 33 API calls 26515->27095 27096 7ff69d3e65b0 33 API calls 3 library calls 26515->27096 27097 7ff69d3e72cc 26515->27097 27101 7ff69d3d1744 33 API calls 4 library calls 26515->27101 27102 7ff69d3e31bc 26515->27102 27116 7ff69d3e3ea0 FindClose 26515->27116 27117 7ff69d3f13f4 CompareStringW 26515->27117 27118 7ff69d3f9cd0 47 API calls 26515->27118 27119 7ff69d3f87d8 51 API calls 3 library calls 26515->27119 27120 7ff69d3fab54 33 API calls _handle_error 26515->27120 27121 7ff69d3e7df4 26515->27121 27129 7ff69d3e5b08 CompareStringW 26515->27129 27130 7ff69d3e7eb0 47 API calls 26515->27130 26516->26515 26517->26519 26518->26515 26524 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26519->26524 26520->26512 26523->26515 26524->26526 26526->26507 26527->26512 26529->26512 26530->26515 26532->26512 26534 7ff69d3fdb55 MoveFileExW 26533->26534 26535 7ff69d3fdb70 26533->26535 26534->26535 26535->26515 26536 7ff69d3d1fa0 31 API calls 26535->26536 26536->26535 26537->26515 26539->26515 26541 7ff69d3ff9a3 26540->26541 26542 7ff69d3d20b0 33 API calls 26541->26542 26543 7ff69d3ff9b9 26542->26543 26544 7ff69d3ff9ee 26543->26544 26545 7ff69d3d20b0 33 API calls 26543->26545 27159 7ff69d3de34c 26544->27159 26545->26544 26547 7ff69d3ffa4b 27179 7ff69d3de7a8 26547->27179 26551 7ff69d3ffa61 26552 7ff69d402320 _handle_error 8 API calls 26551->26552 26553 7ff69d3fbc52 26552->26553 26553->26178 28294 7ff69d3f849c 26555->28294 26558 7ff69d3ff4b7 26560 7ff69d402320 _handle_error 8 API calls 26558->26560 26559 7ff69d3ff3c7 GetWindow 26564 7ff69d3ff3e2 26559->26564 26561 7ff69d3fbe9b 26560->26561 26561->25937 26561->25938 26562 7ff69d3ff3ee GetClassNameW 28299 7ff69d3f13c4 CompareStringW 26562->28299 26564->26558 26564->26562 26565 7ff69d3ff417 GetWindowLongPtrW 26564->26565 26566 7ff69d3ff496 GetWindow 26564->26566 26565->26566 26567 7ff69d3ff429 SendMessageW 26565->26567 26566->26558 26566->26564 26567->26566 26568 7ff69d3ff445 GetObjectW 26567->26568 28300 7ff69d3f8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26568->28300 26570 7ff69d3ff461 28301 7ff69d3f84cc 26570->28301 28305 7ff69d3f8df4 16 API calls _handle_error 26570->28305 26573 7ff69d3ff479 SendMessageW DeleteObject 26573->26566 26575 7ff69d3e6300 26574->26575 26580 7ff69d3e638d 26574->26580 26576 7ff69d3d13a4 33 API calls 26575->26576 26577 7ff69d3e631b GetCurrentDirectoryW 26576->26577 26578 7ff69d3e6341 26577->26578 26579 7ff69d3d20b0 33 API calls 26578->26579 26581 7ff69d3e634f 26579->26581 26580->25952 26581->26580 26582 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26581->26582 26583 7ff69d3e63a9 26582->26583 26585 7ff69d3d252a SetWindowTextW 26584->26585 26586 7ff69d3d2527 26584->26586 26587 7ff69d43e2e0 26585->26587 26586->26585 26588->25964 26590 7ff69d3d2513 26589->26590 26591 7ff69d3d2516 SetDlgItemTextW 26589->26591 26590->26591 26593 7ff69d3d12d0 26592->26593 26594 7ff69d3d139b 26592->26594 26597 7ff69d3d1396 26593->26597 26598 7ff69d3d1338 26593->26598 26601 7ff69d3d12de BuildCatchObjectHelperInternal 26593->26601 28309 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26594->28309 28308 7ff69d3d1f80 33 API calls 3 library calls 26597->28308 26600 7ff69d4021d0 33 API calls 26598->26600 26598->26601 26600->26601 26601->25999 26602->26032 26604 7ff69d3e32bc 51 API calls 26603->26604 26605 7ff69d3e32b1 26604->26605 26605->26042 26605->26065 26606->26042 26608 7ff69d3d13a4 33 API calls 26607->26608 26609 7ff69d3e6489 26608->26609 26610 7ff69d3e648c GetModuleFileNameW 26609->26610 26613 7ff69d3e64dc 26609->26613 26611 7ff69d3e64de 26610->26611 26612 7ff69d3e64a7 26610->26612 26611->26613 26612->26609 26614 7ff69d3d129c 33 API calls 26613->26614 26615 7ff69d3e6506 26614->26615 26616 7ff69d3e653e 26615->26616 26617 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26615->26617 26616->26108 26618 7ff69d3e6560 26617->26618 26619->26123 26621 7ff69d3d20f6 26620->26621 26623 7ff69d3d20cb BuildCatchObjectHelperInternal 26620->26623 28310 7ff69d3d1474 33 API calls 3 library calls 26621->28310 26623->26139 26624->26150 26625->26161 26626->26171 26627->26176 26628->26185 26630 7ff69d403620 26629->26630 26630->26189 26631->26105 26633 7ff69d3d1177 26632->26633 26634 7ff69d3d2034 33 API calls 26633->26634 26635 7ff69d3d1185 BuildCatchObjectHelperInternal 26634->26635 26635->26121 26637 7ff69d3d2085 26636->26637 26639 7ff69d3d2059 BuildCatchObjectHelperInternal 26636->26639 28311 7ff69d3d15b8 33 API calls 3 library calls 26637->28311 26639->26093 26641 7ff69d402329 26640->26641 26642 7ff69d3fc350 26641->26642 26643 7ff69d402550 IsProcessorFeaturePresent 26641->26643 26644 7ff69d402568 26643->26644 28312 7ff69d402744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26644->28312 26646 7ff69d40257b 28313 7ff69d402510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26646->28313 28314 7ff69d40783c 31 API calls 3 library calls 26649->28314 26651 7ff69d40791d 28315 7ff69d407934 16 API calls abort 26651->28315 26654->26143 26655->26209 26656->26234 26657->26249 26658->26261 26684 7ff69d3e3e28 26659->26684 26663 7ff69d3ea589 26690 7ff69d3e9408 26663->26690 26666 7ff69d3ea6f2 GetSystemMetrics GetWindow 26668 7ff69d3ea821 26666->26668 26683 7ff69d3ea71d 26666->26683 26667 7ff69d3ea603 26669 7ff69d3ea6c2 26667->26669 26670 7ff69d3ea60c GetWindowLongPtrW 26667->26670 26672 7ff69d402320 _handle_error 8 API calls 26668->26672 26709 7ff69d3e95a8 26669->26709 26673 7ff69d43e2c0 26670->26673 26671 7ff69d3ea519 26671->26663 26681 7ff69d3ea56a SetDlgItemTextW 26671->26681 26705 7ff69d3e9800 26671->26705 26676 7ff69d3ea830 26672->26676 26677 7ff69d3ea6aa GetWindowRect 26673->26677 26676->26274 26677->26669 26679 7ff69d3ea73e GetWindowRect 26679->26683 26680 7ff69d3ea6e5 SetWindowTextW 26680->26666 26681->26671 26682 7ff69d3ea800 GetWindow 26682->26668 26682->26683 26683->26668 26683->26679 26683->26682 26685 7ff69d3e3e4d _snwprintf 26684->26685 26718 7ff69d409ef0 26685->26718 26688 7ff69d3f0f68 WideCharToMultiByte 26689 7ff69d3f0faa 26688->26689 26689->26671 26691 7ff69d3e95a8 47 API calls 26690->26691 26694 7ff69d3e944f 26691->26694 26692 7ff69d402320 _handle_error 8 API calls 26693 7ff69d3e958e GetWindowRect GetClientRect 26692->26693 26693->26666 26693->26667 26695 7ff69d3d129c 33 API calls 26694->26695 26701 7ff69d3e955a 26694->26701 26696 7ff69d3e949c 26695->26696 26697 7ff69d3e95a1 26696->26697 26699 7ff69d3d129c 33 API calls 26696->26699 26698 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26697->26698 26700 7ff69d3e95a7 26698->26700 26702 7ff69d3e9514 26699->26702 26701->26692 26702->26701 26703 7ff69d3e959c 26702->26703 26704 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26703->26704 26704->26697 26706 7ff69d3e9840 26705->26706 26708 7ff69d3e9869 26705->26708 26757 7ff69d40a270 31 API calls 2 library calls 26706->26757 26708->26671 26710 7ff69d3e3e28 swprintf 46 API calls 26709->26710 26711 7ff69d3e95eb 26710->26711 26712 7ff69d3f0f68 WideCharToMultiByte 26711->26712 26713 7ff69d3e9603 26712->26713 26714 7ff69d3e9800 31 API calls 26713->26714 26715 7ff69d3e961b 26714->26715 26716 7ff69d402320 _handle_error 8 API calls 26715->26716 26717 7ff69d3e962b 26716->26717 26717->26666 26717->26680 26719 7ff69d409f36 26718->26719 26720 7ff69d409f4e 26718->26720 26745 7ff69d40d69c 15 API calls abort 26719->26745 26720->26719 26721 7ff69d409f58 26720->26721 26747 7ff69d407ef0 35 API calls 2 library calls 26721->26747 26724 7ff69d409f3b 26746 7ff69d4078e4 31 API calls _invalid_parameter_noinfo 26724->26746 26726 7ff69d402320 _handle_error 8 API calls 26728 7ff69d3e3e69 26726->26728 26727 7ff69d409f69 __scrt_get_show_window_mode 26748 7ff69d407e70 15 API calls _set_fmode 26727->26748 26728->26688 26730 7ff69d409fd4 26749 7ff69d4082f8 46 API calls 3 library calls 26730->26749 26732 7ff69d409fdd 26733 7ff69d409fe5 26732->26733 26736 7ff69d40a014 26732->26736 26750 7ff69d40d90c 26733->26750 26735 7ff69d40a06c 26742 7ff69d40d90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26735->26742 26736->26735 26737 7ff69d40a092 26736->26737 26738 7ff69d40a023 26736->26738 26741 7ff69d40a01a 26736->26741 26737->26735 26739 7ff69d40a09c 26737->26739 26740 7ff69d40d90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26738->26740 26743 7ff69d40d90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26739->26743 26744 7ff69d409f46 26740->26744 26741->26735 26741->26738 26742->26744 26743->26744 26744->26726 26745->26724 26746->26744 26747->26727 26748->26730 26749->26732 26751 7ff69d40d941 Concurrency::details::SchedulerProxy::DeleteThis 26750->26751 26752 7ff69d40d911 RtlFreeHeap 26750->26752 26751->26744 26752->26751 26753 7ff69d40d92c 26752->26753 26756 7ff69d40d69c 15 API calls abort 26753->26756 26755 7ff69d40d931 GetLastError 26755->26751 26756->26755 26757->26708 26770 7ff69d3d13a4 26758->26770 26761 7ff69d3d2494 26762 7ff69d3d129c 33 API calls 26761->26762 26763 7ff69d3d24a2 26762->26763 26765 7ff69d3d2505 26763->26765 26766 7ff69d3d24dd 26763->26766 26764 7ff69d402320 _handle_error 8 API calls 26767 7ff69d3d24f3 26764->26767 26768 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26765->26768 26766->26764 26767->26283 26769 7ff69d3d250a 26768->26769 26771 7ff69d3d142d GetWindowTextW 26770->26771 26772 7ff69d3d13ad 26770->26772 26771->26761 26773 7ff69d3d13ce 26772->26773 26774 7ff69d3d143d 26772->26774 26778 7ff69d3d13db __scrt_get_show_window_mode 26773->26778 26780 7ff69d4021d0 26773->26780 26790 7ff69d3d2018 33 API calls std::_Xinvalid_argument 26774->26790 26789 7ff69d3d197c 31 API calls _invalid_parameter_noinfo_noreturn 26778->26789 26781 7ff69d4021db 26780->26781 26782 7ff69d4021f4 26781->26782 26783 7ff69d40bbc0 abort 2 API calls 26781->26783 26784 7ff69d4021fa 26781->26784 26782->26778 26783->26781 26785 7ff69d402205 26784->26785 26791 7ff69d402f7c RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 26784->26791 26792 7ff69d3d1f80 33 API calls 3 library calls 26785->26792 26788 7ff69d40220b 26789->26771 26791->26785 26792->26788 26793->26300 26795->26308 26803 7ff69d3e9638 26796->26803 26799 7ff69d3e9800 31 API calls 26800 7ff69d3e97d9 26799->26800 26801 7ff69d402320 _handle_error 8 API calls 26800->26801 26802 7ff69d3e97f2 26801->26802 26802->26320 26802->26321 26804 7ff69d3e9692 26803->26804 26812 7ff69d3e9730 26803->26812 26805 7ff69d3f0f68 WideCharToMultiByte 26804->26805 26807 7ff69d3e96c0 26804->26807 26805->26807 26806 7ff69d402320 _handle_error 8 API calls 26808 7ff69d3e9764 26806->26808 26811 7ff69d3e96ef 26807->26811 26813 7ff69d3eaa88 45 API calls _snwprintf 26807->26813 26808->26799 26808->26800 26814 7ff69d40a270 31 API calls 2 library calls 26811->26814 26812->26806 26813->26811 26814->26812 26831 7ff69d3ed4d0 26815->26831 26819 7ff69d409ef0 swprintf 46 API calls 26821 7ff69d3ed8e5 _snwprintf 26819->26821 26820 7ff69d3ed974 26828 7ff69d3ed9a3 26820->26828 26846 7ff69d3d9d78 33 API calls 26820->26846 26821->26819 26821->26820 26845 7ff69d3d9d78 33 API calls 26821->26845 26823 7ff69d402320 _handle_error 8 API calls 26825 7ff69d3eda2b 26823->26825 26824 7ff69d3eda17 26824->26823 26825->26326 26826 7ff69d3eda3f 26827 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26826->26827 26829 7ff69d3eda44 26827->26829 26828->26824 26828->26826 26832 7ff69d3ed665 26831->26832 26834 7ff69d3ed502 26831->26834 26835 7ff69d3ecb80 26832->26835 26833 7ff69d3d1744 33 API calls 26833->26834 26834->26832 26834->26833 26836 7ff69d3ecbb6 26835->26836 26843 7ff69d3ecc80 26835->26843 26837 7ff69d3ecbc6 26836->26837 26840 7ff69d3ecc7b 26836->26840 26842 7ff69d3ecc20 26836->26842 26837->26821 26847 7ff69d3d1f80 33 API calls 3 library calls 26840->26847 26842->26837 26844 7ff69d4021d0 33 API calls 26842->26844 26848 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26843->26848 26844->26837 26845->26821 26846->26828 26847->26843 26850 7ff69d3fae80 GetDlgItem 26849->26850 26851 7ff69d3fae3c GetMessageW 26849->26851 26850->26329 26850->26330 26852 7ff69d3fae5b IsDialogMessageW 26851->26852 26853 7ff69d3fae6a TranslateMessage DispatchMessageW 26851->26853 26852->26850 26852->26853 26853->26850 26856 7ff69d3e36b3 26854->26856 26855 7ff69d3e36e0 26888 7ff69d3e32bc 26855->26888 26856->26855 26857 7ff69d3e36cc CreateDirectoryW 26856->26857 26857->26855 26859 7ff69d3e377d 26857->26859 26861 7ff69d3e378d 26859->26861 26874 7ff69d3e3d34 26859->26874 26865 7ff69d402320 _handle_error 8 API calls 26861->26865 26862 7ff69d3e3791 GetLastError 26862->26861 26867 7ff69d3e37b9 26865->26867 26867->26348 26868 7ff69d3e3720 CreateDirectoryW 26869 7ff69d3e373b 26868->26869 26870 7ff69d3e37ce 26869->26870 26871 7ff69d3e3774 26869->26871 26872 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26870->26872 26871->26859 26871->26862 26873 7ff69d3e37d3 26872->26873 26875 7ff69d3e3d5e SetFileAttributesW 26874->26875 26876 7ff69d3e3d5b 26874->26876 26877 7ff69d3e3d74 26875->26877 26884 7ff69d3e3df5 26875->26884 26876->26875 26879 7ff69d3e6a0c 49 API calls 26877->26879 26878 7ff69d402320 _handle_error 8 API calls 26880 7ff69d3e3e0a 26878->26880 26881 7ff69d3e3d99 26879->26881 26880->26861 26882 7ff69d3e3d9d SetFileAttributesW 26881->26882 26883 7ff69d3e3dbc 26881->26883 26882->26883 26883->26884 26885 7ff69d3e3e1a 26883->26885 26884->26878 26886 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26885->26886 26887 7ff69d3e3e1f 26886->26887 26889 7ff69d3e32e4 26888->26889 26890 7ff69d3e32e7 GetFileAttributesW 26888->26890 26889->26890 26891 7ff69d3e32f8 26890->26891 26898 7ff69d3e3375 26890->26898 26892 7ff69d3e6a0c 49 API calls 26891->26892 26894 7ff69d3e331f 26892->26894 26893 7ff69d402320 _handle_error 8 API calls 26895 7ff69d3e3389 26893->26895 26896 7ff69d3e3323 GetFileAttributesW 26894->26896 26897 7ff69d3e333c 26894->26897 26895->26862 26902 7ff69d3e6a0c 26895->26902 26896->26897 26897->26898 26899 7ff69d3e3399 26897->26899 26898->26893 26900 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26899->26900 26901 7ff69d3e339e 26900->26901 26903 7ff69d3e6a4b 26902->26903 26922 7ff69d3e6a44 26902->26922 26906 7ff69d3d129c 33 API calls 26903->26906 26904 7ff69d402320 _handle_error 8 API calls 26905 7ff69d3e371c 26904->26905 26905->26868 26905->26869 26907 7ff69d3e6a76 26906->26907 26908 7ff69d3e6cc7 26907->26908 26909 7ff69d3e6a96 26907->26909 26910 7ff69d3e62dc 35 API calls 26908->26910 26911 7ff69d3e6ab0 26909->26911 26936 7ff69d3e6b49 26909->26936 26915 7ff69d3e6ce6 26910->26915 26912 7ff69d3e70ab 26911->26912 26975 7ff69d3dc098 33 API calls 2 library calls 26911->26975 26983 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26912->26983 26914 7ff69d3e6eef 26959 7ff69d3e70cf 26914->26959 26980 7ff69d3dc098 33 API calls 2 library calls 26914->26980 26915->26914 26918 7ff69d3e6d1b 26915->26918 26920 7ff69d3e6b44 26915->26920 26916 7ff69d3e70b1 26926 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26916->26926 26949 7ff69d3e70bd 26918->26949 26978 7ff69d3dc098 33 API calls 2 library calls 26918->26978 26919 7ff69d3e70d5 26927 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26919->26927 26920->26916 26920->26919 26920->26922 26928 7ff69d3e70a6 26920->26928 26922->26904 26923 7ff69d3e6b03 26937 7ff69d3d1fa0 31 API calls 26923->26937 26952 7ff69d3e6b15 BuildCatchObjectHelperInternal 26923->26952 26934 7ff69d3e70b7 26926->26934 26935 7ff69d3e70db 26927->26935 26933 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26928->26933 26929 7ff69d3e6f56 26981 7ff69d3d11cc 33 API calls BuildCatchObjectHelperInternal 26929->26981 26931 7ff69d3e6d76 BuildCatchObjectHelperInternal 26939 7ff69d3e70c3 26931->26939 26944 7ff69d3d1fa0 31 API calls 26931->26944 26932 7ff69d3d1fa0 31 API calls 26932->26920 26933->26912 26943 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26934->26943 26945 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26935->26945 26936->26920 26940 7ff69d3d129c 33 API calls 26936->26940 26937->26952 26942 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 26939->26942 26946 7ff69d3e6bbe 26940->26946 26941 7ff69d3e6f69 26982 7ff69d3e57ac 33 API calls BuildCatchObjectHelperInternal 26941->26982 26948 7ff69d3e70c9 26942->26948 26943->26949 26957 7ff69d3e6df5 26944->26957 26950 7ff69d3e70e1 26945->26950 26976 7ff69d3e5820 33 API calls 26946->26976 26985 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26948->26985 26984 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26949->26984 26952->26932 26953 7ff69d3e6bd3 26977 7ff69d3de164 33 API calls 2 library calls 26953->26977 26956 7ff69d3d1fa0 31 API calls 26960 7ff69d3e6fec 26956->26960 26961 7ff69d3e6e21 26957->26961 26979 7ff69d3d1744 33 API calls 4 library calls 26957->26979 26958 7ff69d3e6f79 BuildCatchObjectHelperInternal 26958->26935 26958->26956 26986 7ff69d3d2004 33 API calls std::_Xinvalid_argument 26959->26986 26962 7ff69d3d1fa0 31 API calls 26960->26962 26961->26948 26966 7ff69d3d129c 33 API calls 26961->26966 26965 7ff69d3e6ff6 26962->26965 26964 7ff69d3d1fa0 31 API calls 26968 7ff69d3e6c6d 26964->26968 26969 7ff69d3d1fa0 31 API calls 26965->26969 26970 7ff69d3e6ec2 26966->26970 26967 7ff69d3e6be9 BuildCatchObjectHelperInternal 26967->26934 26967->26964 26971 7ff69d3d1fa0 31 API calls 26968->26971 26969->26920 26972 7ff69d3d2034 33 API calls 26970->26972 26971->26920 26973 7ff69d3e6edf 26972->26973 26974 7ff69d3d1fa0 31 API calls 26973->26974 26974->26920 26975->26923 26976->26953 26977->26967 26978->26931 26979->26961 26980->26929 26981->26941 26982->26958 26985->26959 26988 7ff69d3d713b 26987->26988 26989 7ff69d3d7206 26987->26989 26995 7ff69d3d714b BuildCatchObjectHelperInternal 26988->26995 26996 7ff69d3d3f48 33 API calls 2 library calls 26988->26996 26997 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 26989->26997 26992 7ff69d3d7273 26992->26364 26993 7ff69d3d720b 26993->26992 26998 7ff69d3d889c 8 API calls BuildCatchObjectHelperInternal 26993->26998 26995->26364 26996->26995 26997->26993 26998->26993 27000 7ff69d3e20ea 26999->27000 27001 7ff69d3e2102 26999->27001 27000->27001 27003 7ff69d3e20f6 CloseHandle 27000->27003 27002 7ff69d3e2126 27001->27002 27005 7ff69d3db544 99 API calls 27001->27005 27002->26388 27003->27001 27005->27002 27007 7ff69d3faa2f 27006->27007 27008 7ff69d3faa36 27006->27008 27007->26515 27008->27007 27146 7ff69d3d1744 33 API calls 4 library calls 27008->27146 27010->26515 27012 7ff69d3fa47f 27011->27012 27013 7ff69d3fa706 27011->27013 27147 7ff69d3fcdf8 33 API calls 27012->27147 27015 7ff69d402320 _handle_error 8 API calls 27013->27015 27017 7ff69d3fa717 27015->27017 27016 7ff69d3fa49e 27018 7ff69d3d129c 33 API calls 27016->27018 27017->26474 27019 7ff69d3fa4de 27018->27019 27020 7ff69d3d129c 33 API calls 27019->27020 27021 7ff69d3fa517 27020->27021 27022 7ff69d3d129c 33 API calls 27021->27022 27023 7ff69d3fa54a 27022->27023 27148 7ff69d3fa834 33 API calls _invalid_parameter_noinfo_noreturn 27023->27148 27025 7ff69d3fa734 27026 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27025->27026 27027 7ff69d3fa73a 27026->27027 27030 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27027->27030 27028 7ff69d3fa740 27031 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27028->27031 27029 7ff69d3fa573 27029->27025 27029->27027 27029->27028 27032 7ff69d3d20b0 33 API calls 27029->27032 27033 7ff69d3fa685 27029->27033 27030->27028 27034 7ff69d3fa746 27031->27034 27032->27033 27033->27013 27033->27034 27035 7ff69d3fa72f 27033->27035 27036 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27034->27036 27038 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27035->27038 27037 7ff69d3fa74c 27036->27037 27039 7ff69d3d255c 61 API calls 27037->27039 27038->27025 27040 7ff69d3fa795 27039->27040 27041 7ff69d3fa7b1 27040->27041 27042 7ff69d3fa801 SetDlgItemTextW 27040->27042 27046 7ff69d3fa7a1 27040->27046 27043 7ff69d402320 _handle_error 8 API calls 27041->27043 27042->27041 27044 7ff69d3fa827 27043->27044 27044->26474 27045 7ff69d3fa7ad 27045->27041 27047 7ff69d3fa7b7 EndDialog 27045->27047 27046->27041 27046->27045 27149 7ff69d3ebb00 102 API calls 27046->27149 27047->27041 27054 7ff69d3ff529 __scrt_get_show_window_mode 27049->27054 27065 7ff69d3ff87d 27049->27065 27050 7ff69d3d1fa0 31 API calls 27051 7ff69d3ff89c 27050->27051 27052 7ff69d402320 _handle_error 8 API calls 27051->27052 27053 7ff69d3ff8a8 27052->27053 27053->26482 27055 7ff69d3ff684 27054->27055 27150 7ff69d3f13c4 CompareStringW 27054->27150 27057 7ff69d3d129c 33 API calls 27055->27057 27058 7ff69d3ff6c0 27057->27058 27059 7ff69d3e32a8 51 API calls 27058->27059 27060 7ff69d3ff6ca 27059->27060 27061 7ff69d3d1fa0 31 API calls 27060->27061 27064 7ff69d3ff6d5 27061->27064 27062 7ff69d3ff742 ShellExecuteExW 27063 7ff69d3ff846 27062->27063 27069 7ff69d3ff755 27062->27069 27063->27065 27071 7ff69d3ff8fb 27063->27071 27064->27062 27067 7ff69d3d129c 33 API calls 27064->27067 27065->27050 27066 7ff69d3ff78e 27152 7ff69d3ffe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27066->27152 27070 7ff69d3ff717 27067->27070 27068 7ff69d3ff7e3 CloseHandle 27074 7ff69d3ff801 27068->27074 27075 7ff69d3ff7f2 27068->27075 27069->27066 27069->27068 27077 7ff69d3ff781 ShowWindow 27069->27077 27151 7ff69d3e5b60 53 API calls 2 library calls 27070->27151 27073 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27071->27073 27080 7ff69d3ff900 27073->27080 27074->27063 27083 7ff69d3ff837 ShowWindow 27074->27083 27153 7ff69d3f13c4 CompareStringW 27075->27153 27077->27066 27079 7ff69d3ff725 27082 7ff69d3d1fa0 31 API calls 27079->27082 27081 7ff69d3ff7a6 27081->27068 27085 7ff69d3ff7b4 GetExitCodeProcess 27081->27085 27084 7ff69d3ff72f 27082->27084 27083->27063 27084->27062 27085->27068 27086 7ff69d3ff7c7 27085->27086 27086->27068 27087->26515 27088->26515 27089->26515 27090->26515 27091->26515 27092->26515 27093->26515 27094->26515 27095->26515 27096->26515 27098 7ff69d3e72ea 27097->27098 27154 7ff69d3db3a8 27098->27154 27101->26515 27103 7ff69d3e31e4 27102->27103 27104 7ff69d3e31e7 DeleteFileW 27102->27104 27103->27104 27105 7ff69d3e31fd 27104->27105 27111 7ff69d3e327c 27104->27111 27106 7ff69d3e6a0c 49 API calls 27105->27106 27108 7ff69d3e3222 27106->27108 27107 7ff69d402320 _handle_error 8 API calls 27109 7ff69d3e3291 27107->27109 27110 7ff69d3e3226 DeleteFileW 27108->27110 27112 7ff69d3e3243 27108->27112 27109->26515 27110->27112 27111->27107 27112->27111 27113 7ff69d3e32a1 27112->27113 27114 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27113->27114 27115 7ff69d3e32a6 27114->27115 27117->26515 27118->26515 27119->26515 27120->26515 27122 7ff69d3e7e0c 27121->27122 27123 7ff69d3e7e23 27122->27123 27124 7ff69d3e7e55 27122->27124 27126 7ff69d3d129c 33 API calls 27123->27126 27158 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 27124->27158 27128 7ff69d3e7e47 27126->27128 27127 7ff69d3e7e5a 27128->26515 27129->26515 27130->26515 27134 7ff69d3ed25e 27131->27134 27132 7ff69d3ed292 27132->26512 27133 7ff69d3d1744 33 API calls 27133->27134 27134->27132 27134->27133 27135->26429 27136->26418 27138->26398 27139->26401 27140->26404 27141->26458 27142->26448 27144->26453 27146->27008 27147->27016 27148->27029 27149->27045 27150->27055 27151->27079 27152->27081 27153->27074 27157 7ff69d3db3f2 __scrt_get_show_window_mode 27154->27157 27155 7ff69d402320 _handle_error 8 API calls 27156 7ff69d3db4b6 27155->27156 27156->26515 27157->27155 27158->27127 27215 7ff69d3e86ec 27159->27215 27161 7ff69d3de3c4 27221 7ff69d3de600 27161->27221 27163 7ff69d3de4d4 27166 7ff69d4021d0 33 API calls 27163->27166 27164 7ff69d3de549 27167 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27164->27167 27165 7ff69d3de454 27165->27163 27165->27164 27168 7ff69d3de4f0 27166->27168 27176 7ff69d3de54e 27167->27176 27227 7ff69d3f3148 102 API calls 27168->27227 27170 7ff69d3de51d 27171 7ff69d402320 _handle_error 8 API calls 27170->27171 27172 7ff69d3de52d 27171->27172 27172->26547 27173 7ff69d3e18c2 27174 7ff69d3e190d 27173->27174 27177 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27173->27177 27174->26547 27175 7ff69d3d1fa0 31 API calls 27175->27176 27176->27173 27176->27174 27176->27175 27178 7ff69d3e193b 27177->27178 27180 7ff69d3de7ea 27179->27180 27181 7ff69d3de864 27180->27181 27183 7ff69d3de8a1 27180->27183 27228 7ff69d3e3ec8 27180->27228 27181->27183 27184 7ff69d3de993 27181->27184 27191 7ff69d3de900 27183->27191 27235 7ff69d3df578 27183->27235 27185 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27184->27185 27188 7ff69d3de998 27185->27188 27186 7ff69d3de955 27187 7ff69d402320 _handle_error 8 API calls 27186->27187 27190 7ff69d3de97e 27187->27190 27193 7ff69d3de578 27190->27193 27191->27186 27271 7ff69d3d28a4 82 API calls 2 library calls 27191->27271 28280 7ff69d3e15d8 27193->28280 27196 7ff69d3de59e 27198 7ff69d3d1fa0 31 API calls 27196->27198 27197 7ff69d3f1870 108 API calls 27197->27196 27199 7ff69d3de5b7 27198->27199 27200 7ff69d3d1fa0 31 API calls 27199->27200 27201 7ff69d3de5c3 27200->27201 27202 7ff69d3d1fa0 31 API calls 27201->27202 27203 7ff69d3de5cf 27202->27203 27204 7ff69d3e878c 108 API calls 27203->27204 27205 7ff69d3de5db 27204->27205 27206 7ff69d3d1fa0 31 API calls 27205->27206 27207 7ff69d3de5e4 27206->27207 27208 7ff69d3d1fa0 31 API calls 27207->27208 27212 7ff69d3de5ed 27208->27212 27209 7ff69d3e18c2 27210 7ff69d3e190d 27209->27210 27213 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27209->27213 27210->26551 27211 7ff69d3d1fa0 31 API calls 27211->27212 27212->27209 27212->27210 27212->27211 27214 7ff69d3e193b 27213->27214 27216 7ff69d3e870a 27215->27216 27217 7ff69d4021d0 33 API calls 27216->27217 27218 7ff69d3e872f 27217->27218 27219 7ff69d4021d0 33 API calls 27218->27219 27220 7ff69d3e8759 27219->27220 27220->27161 27222 7ff69d3de627 27221->27222 27224 7ff69d3de62c BuildCatchObjectHelperInternal 27221->27224 27223 7ff69d3d1fa0 31 API calls 27222->27223 27223->27224 27225 7ff69d3d1fa0 31 API calls 27224->27225 27226 7ff69d3de668 BuildCatchObjectHelperInternal 27224->27226 27225->27226 27226->27165 27227->27170 27229 7ff69d3e72cc 8 API calls 27228->27229 27230 7ff69d3e3ee1 27229->27230 27231 7ff69d3e3f0f 27230->27231 27272 7ff69d3e40bc 27230->27272 27231->27180 27234 7ff69d3e3efa FindClose 27234->27231 27236 7ff69d3df598 _snwprintf 27235->27236 27311 7ff69d3d2950 27236->27311 27239 7ff69d3df5cc 27242 7ff69d3df5fc 27239->27242 27326 7ff69d3d33e4 27239->27326 27577 7ff69d3d2c54 27242->27577 27245 7ff69d3df5f8 27245->27242 27358 7ff69d3d3ad8 27245->27358 27250 7ff69d3df7cb 27368 7ff69d3df8a4 27250->27368 27251 7ff69d3d8d04 33 API calls 27253 7ff69d3df662 27251->27253 27597 7ff69d3e7918 48 API calls 2 library calls 27253->27597 27255 7ff69d3df677 27256 7ff69d3e3ec8 55 API calls 27255->27256 27261 7ff69d3df6ad 27256->27261 27257 7ff69d3df842 27257->27242 27389 7ff69d3d69f8 27257->27389 27400 7ff69d3df930 27257->27400 27264 7ff69d3df89a 27261->27264 27265 7ff69d3df74d 27261->27265 27266 7ff69d3e3ec8 55 API calls 27261->27266 27598 7ff69d3e7918 48 API calls 2 library calls 27261->27598 27267 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27264->27267 27265->27250 27265->27264 27268 7ff69d3df895 27265->27268 27266->27261 27270 7ff69d3df8a0 27267->27270 27269 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27268->27269 27269->27264 27271->27186 27273 7ff69d3e41d2 FindNextFileW 27272->27273 27274 7ff69d3e40f9 FindFirstFileW 27272->27274 27276 7ff69d3e41f3 27273->27276 27277 7ff69d3e41e1 GetLastError 27273->27277 27274->27276 27279 7ff69d3e411e 27274->27279 27278 7ff69d3e4211 27276->27278 27282 7ff69d3d20b0 33 API calls 27276->27282 27292 7ff69d3e41c0 27277->27292 27286 7ff69d3d129c 33 API calls 27278->27286 27280 7ff69d3e6a0c 49 API calls 27279->27280 27281 7ff69d3e4144 27280->27281 27284 7ff69d3e4167 27281->27284 27285 7ff69d3e4148 FindFirstFileW 27281->27285 27282->27278 27283 7ff69d402320 _handle_error 8 API calls 27287 7ff69d3e3ef4 27283->27287 27284->27276 27289 7ff69d3e41af GetLastError 27284->27289 27297 7ff69d3e4314 27284->27297 27285->27284 27288 7ff69d3e423b 27286->27288 27287->27231 27287->27234 27298 7ff69d3e8090 27288->27298 27289->27292 27292->27283 27293 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27294 7ff69d3e431a 27293->27294 27295 7ff69d3e430f 27296 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27295->27296 27296->27297 27297->27293 27299 7ff69d3e80a5 27298->27299 27302 7ff69d3e8188 27299->27302 27301 7ff69d3e4249 27301->27292 27301->27295 27303 7ff69d3e8326 27302->27303 27306 7ff69d3e81ba 27302->27306 27310 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 27303->27310 27305 7ff69d3e832b 27308 7ff69d3e81d4 BuildCatchObjectHelperInternal 27306->27308 27309 7ff69d3e58a4 33 API calls 2 library calls 27306->27309 27308->27301 27309->27308 27310->27305 27312 7ff69d3d296c 27311->27312 27313 7ff69d3e86ec 33 API calls 27312->27313 27314 7ff69d3d298d 27313->27314 27315 7ff69d4021d0 33 API calls 27314->27315 27318 7ff69d3d2ac2 27314->27318 27316 7ff69d3d2ab0 27315->27316 27316->27318 27599 7ff69d3d91c8 27316->27599 27606 7ff69d3e4d04 27318->27606 27321 7ff69d3e2ca8 27638 7ff69d3e24c0 27321->27638 27323 7ff69d3e2cc5 27323->27239 27657 7ff69d3e28d0 27326->27657 27327 7ff69d3d3674 27676 7ff69d3d28a4 82 API calls 2 library calls 27327->27676 27328 7ff69d3d3431 __scrt_get_show_window_mode 27336 7ff69d3d344e 27328->27336 27337 7ff69d3d3601 27328->27337 27662 7ff69d3e2bb0 27328->27662 27330 7ff69d3d69f8 132 API calls 27332 7ff69d3d3682 27330->27332 27332->27330 27333 7ff69d3d370c 27332->27333 27332->27337 27357 7ff69d3e2aa0 101 API calls 27332->27357 27333->27337 27339 7ff69d3d3740 27333->27339 27677 7ff69d3d28a4 82 API calls 2 library calls 27333->27677 27335 7ff69d3d35cb 27335->27336 27338 7ff69d3d35d7 27335->27338 27336->27327 27336->27332 27337->27245 27338->27337 27341 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27338->27341 27339->27337 27340 7ff69d3d384d 27339->27340 27356 7ff69d3e2bb0 101 API calls 27339->27356 27340->27337 27343 7ff69d3d20b0 33 API calls 27340->27343 27344 7ff69d3d3891 27341->27344 27342 7ff69d3d34eb 27342->27335 27671 7ff69d3e2aa0 27342->27671 27343->27337 27344->27245 27345 7ff69d3d69f8 132 API calls 27347 7ff69d3d378e 27345->27347 27347->27345 27348 7ff69d3d3803 27347->27348 27350 7ff69d3e2aa0 101 API calls 27347->27350 27354 7ff69d3e2aa0 101 API calls 27348->27354 27349 7ff69d3e28d0 104 API calls 27349->27335 27350->27347 27354->27340 27355 7ff69d3e28d0 104 API calls 27355->27342 27356->27347 27357->27332 27359 7ff69d3d3b55 27358->27359 27360 7ff69d3d3af9 27358->27360 27362 7ff69d402320 _handle_error 8 API calls 27359->27362 27689 7ff69d3d3378 27360->27689 27363 7ff69d3d3b67 27362->27363 27363->27250 27363->27251 27365 7ff69d3d3b6c 27366 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27365->27366 27367 7ff69d3d3b71 27366->27367 27931 7ff69d3e886c 27368->27931 27370 7ff69d3df8ba 27935 7ff69d3eef60 GetSystemTime SystemTimeToFileTime 27370->27935 27373 7ff69d3f0994 27374 7ff69d400340 27373->27374 27375 7ff69d3e7df4 47 API calls 27374->27375 27376 7ff69d400373 27375->27376 27377 7ff69d3eaae0 48 API calls 27376->27377 27378 7ff69d400387 27377->27378 27379 7ff69d3eda98 48 API calls 27378->27379 27380 7ff69d400397 27379->27380 27381 7ff69d3d1fa0 31 API calls 27380->27381 27382 7ff69d4003a2 27381->27382 27944 7ff69d3ffc68 49 API calls 2 library calls 27382->27944 27384 7ff69d4003b8 27385 7ff69d3d1fa0 31 API calls 27384->27385 27386 7ff69d4003c3 27385->27386 27387 7ff69d402320 _handle_error 8 API calls 27386->27387 27388 7ff69d4003d0 27387->27388 27388->27257 27390 7ff69d3d6a0e 27389->27390 27391 7ff69d3d6a0a 27389->27391 27399 7ff69d3e2bb0 101 API calls 27390->27399 27391->27257 27392 7ff69d3d6a1b 27393 7ff69d3d6a3e 27392->27393 27394 7ff69d3d6a2f 27392->27394 28007 7ff69d3d5130 130 API calls 2 library calls 27393->28007 27394->27391 27945 7ff69d3d5e24 27394->27945 27397 7ff69d3d6a3c 27397->27391 28008 7ff69d3d466c 82 API calls 27397->28008 27399->27392 27401 7ff69d3df978 27400->27401 27407 7ff69d3df9b0 27401->27407 27461 7ff69d3dfa34 27401->27461 28123 7ff69d3f612c 137 API calls 3 library calls 27401->28123 27402 7ff69d3e1189 27405 7ff69d3e118e 27402->27405 27406 7ff69d3e11e1 27402->27406 27404 7ff69d402320 _handle_error 8 API calls 27408 7ff69d3e11c4 27404->27408 27405->27461 28171 7ff69d3ddd08 179 API calls 27405->28171 27406->27461 28172 7ff69d3f612c 137 API calls 3 library calls 27406->28172 27407->27402 27410 7ff69d3df9d0 27407->27410 27407->27461 27408->27257 27410->27461 28038 7ff69d3d9bb0 27410->28038 27413 7ff69d3dfad6 28051 7ff69d3e5ef8 27413->28051 27461->27404 27578 7ff69d3d2c88 27577->27578 27579 7ff69d3d2c74 27577->27579 27580 7ff69d3d1fa0 31 API calls 27578->27580 27579->27578 28259 7ff69d3d2d80 108 API calls _invalid_parameter_noinfo_noreturn 27579->28259 27583 7ff69d3d2ca1 27580->27583 27584 7ff69d3d2d64 27583->27584 28260 7ff69d3d3090 31 API calls _invalid_parameter_noinfo_noreturn 27583->28260 27586 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27584->27586 27585 7ff69d3d2d08 28261 7ff69d3d3090 31 API calls _invalid_parameter_noinfo_noreturn 27585->28261 27588 7ff69d3d2d7c 27586->27588 27589 7ff69d3d2d14 27590 7ff69d3d1fa0 31 API calls 27589->27590 27591 7ff69d3d2d20 27590->27591 28262 7ff69d3e878c 27591->28262 27597->27255 27598->27261 27616 7ff69d3e56a4 27599->27616 27601 7ff69d3d91df 27619 7ff69d3eb788 27601->27619 27605 7ff69d3d9383 27605->27318 27607 7ff69d3e4d32 __scrt_get_show_window_mode 27606->27607 27634 7ff69d3e4bac 27607->27634 27609 7ff69d3e4d54 27610 7ff69d3e4d90 27609->27610 27612 7ff69d3e4dae 27609->27612 27611 7ff69d402320 _handle_error 8 API calls 27610->27611 27613 7ff69d3d2b32 27611->27613 27614 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27612->27614 27613->27239 27613->27321 27615 7ff69d3e4db3 27614->27615 27625 7ff69d3e56e8 27616->27625 27620 7ff69d3d13a4 33 API calls 27619->27620 27621 7ff69d3d9365 27620->27621 27622 7ff69d3d9a28 27621->27622 27623 7ff69d3e56e8 2 API calls 27622->27623 27624 7ff69d3d9a36 27623->27624 27624->27605 27626 7ff69d3e56fe __scrt_get_show_window_mode 27625->27626 27629 7ff69d3eeba4 27626->27629 27632 7ff69d3eeb58 GetCurrentProcess GetProcessAffinityMask 27629->27632 27633 7ff69d3e56de 27632->27633 27633->27601 27635 7ff69d3e4c27 27634->27635 27637 7ff69d3e4c2f BuildCatchObjectHelperInternal 27634->27637 27636 7ff69d3d1fa0 31 API calls 27635->27636 27636->27637 27637->27609 27639 7ff69d3e24fd CreateFileW 27638->27639 27641 7ff69d3e25ae GetLastError 27639->27641 27650 7ff69d3e266e 27639->27650 27642 7ff69d3e6a0c 49 API calls 27641->27642 27643 7ff69d3e25dc 27642->27643 27644 7ff69d3e25e0 CreateFileW GetLastError 27643->27644 27649 7ff69d3e262c 27643->27649 27644->27649 27645 7ff69d3e26b1 SetFileTime 27648 7ff69d3e26cf 27645->27648 27646 7ff69d3e2708 27647 7ff69d402320 _handle_error 8 API calls 27646->27647 27651 7ff69d3e271b 27647->27651 27648->27646 27652 7ff69d3d20b0 33 API calls 27648->27652 27649->27650 27653 7ff69d3e2736 27649->27653 27650->27645 27650->27648 27651->27323 27656 7ff69d3db7e8 99 API calls 2 library calls 27651->27656 27652->27646 27654 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27653->27654 27655 7ff69d3e273b 27654->27655 27656->27323 27658 7ff69d3e28f6 27657->27658 27659 7ff69d3e28fd 27657->27659 27658->27328 27659->27658 27661 7ff69d3e2320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27659->27661 27678 7ff69d3db8a4 99 API calls Concurrency::cancel_current_task 27659->27678 27661->27659 27663 7ff69d3e2bcd 27662->27663 27665 7ff69d3e2be9 27662->27665 27664 7ff69d3d34cc 27663->27664 27679 7ff69d3db9c4 99 API calls Concurrency::cancel_current_task 27663->27679 27664->27355 27665->27664 27666 7ff69d3e2c01 SetFilePointer 27665->27666 27666->27664 27668 7ff69d3e2c1e GetLastError 27666->27668 27668->27664 27669 7ff69d3e2c28 27668->27669 27669->27664 27680 7ff69d3db9c4 99 API calls Concurrency::cancel_current_task 27669->27680 27681 7ff69d3e2778 27671->27681 27674 7ff69d3d35a7 27674->27335 27674->27349 27676->27337 27677->27339 27687 7ff69d3e2789 _snwprintf 27681->27687 27682 7ff69d3e2890 SetFilePointer 27684 7ff69d3e27b5 27682->27684 27686 7ff69d3e28b8 GetLastError 27682->27686 27683 7ff69d402320 _handle_error 8 API calls 27685 7ff69d3e281d 27683->27685 27684->27683 27685->27674 27688 7ff69d3db9c4 99 API calls Concurrency::cancel_current_task 27685->27688 27686->27684 27687->27682 27687->27684 27690 7ff69d3d339a 27689->27690 27693 7ff69d3d3396 27689->27693 27695 7ff69d3d3294 27690->27695 27693->27359 27693->27365 27694 7ff69d3e2aa0 101 API calls 27694->27693 27696 7ff69d3d32bb 27695->27696 27697 7ff69d3d32f6 27695->27697 27698 7ff69d3d69f8 132 API calls 27696->27698 27703 7ff69d3d6e74 27697->27703 27702 7ff69d3d32db 27698->27702 27702->27694 27705 7ff69d3d6e95 27703->27705 27704 7ff69d3d69f8 132 API calls 27704->27705 27705->27704 27707 7ff69d3d331d 27705->27707 27735 7ff69d3ee808 27705->27735 27707->27702 27708 7ff69d3d3904 27707->27708 27743 7ff69d3d6a7c 27708->27743 27711 7ff69d3d396a 27715 7ff69d3d399a 27711->27715 27716 7ff69d3d3989 27711->27716 27712 7ff69d3d3a8a 27717 7ff69d402320 _handle_error 8 API calls 27712->27717 27714 7ff69d3d394f 27714->27712 27718 7ff69d3d3ab3 27714->27718 27725 7ff69d3d3ab8 27714->27725 27721 7ff69d3d39a3 27715->27721 27722 7ff69d3d39ec 27715->27722 27784 7ff69d3f0d54 33 API calls 27716->27784 27720 7ff69d3d3a9e 27717->27720 27723 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27718->27723 27720->27702 27785 7ff69d3f0c80 33 API calls 27721->27785 27786 7ff69d3d26b4 33 API calls BuildCatchObjectHelperInternal 27722->27786 27723->27725 27731 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27725->27731 27726 7ff69d3d39b0 27728 7ff69d3d1fa0 31 API calls 27726->27728 27733 7ff69d3d39c0 BuildCatchObjectHelperInternal 27726->27733 27728->27733 27729 7ff69d3d1fa0 31 API calls 27729->27714 27730 7ff69d3d3a13 27787 7ff69d3f0ae8 34 API calls _invalid_parameter_noinfo_noreturn 27730->27787 27732 7ff69d3d3abe 27731->27732 27733->27729 27736 7ff69d3ee811 27735->27736 27737 7ff69d3ee82b 27736->27737 27741 7ff69d3db664 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27736->27741 27739 7ff69d3ee845 SetThreadExecutionState 27737->27739 27742 7ff69d3db664 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27737->27742 27741->27737 27742->27739 27744 7ff69d3d6a96 _snwprintf 27743->27744 27745 7ff69d3d6ae4 27744->27745 27746 7ff69d3d6ac4 27744->27746 27748 7ff69d3d6d4d 27745->27748 27751 7ff69d3d6b0f 27745->27751 27826 7ff69d3d28a4 82 API calls 2 library calls 27746->27826 27855 7ff69d3d28a4 82 API calls 2 library calls 27748->27855 27749 7ff69d3d6ad0 27752 7ff69d402320 _handle_error 8 API calls 27749->27752 27751->27749 27788 7ff69d3f1f94 27751->27788 27753 7ff69d3d394b 27752->27753 27753->27711 27753->27714 27775 7ff69d3d2794 27753->27775 27756 7ff69d3d6b6e 27827 7ff69d3d28a4 82 API calls 2 library calls 27756->27827 27757 7ff69d3d6b80 27759 7ff69d3d6b85 27757->27759 27828 7ff69d3d40b0 27757->27828 27764 7ff69d3d6c2a 27759->27764 27774 7ff69d3d6b7b 27759->27774 27832 7ff69d3e8968 109 API calls 27759->27832 27797 7ff69d3e4760 27764->27797 27765 7ff69d3d6c52 27766 7ff69d3d6cd1 27765->27766 27767 7ff69d3d6cc7 27765->27767 27833 7ff69d3f1f20 27766->27833 27801 7ff69d3e1794 27767->27801 27770 7ff69d3d6ccf 27853 7ff69d3e4700 8 API calls _handle_error 27770->27853 27816 7ff69d3f1870 27774->27816 27776 7ff69d3d289b 27775->27776 27779 7ff69d3d27d1 27775->27779 27930 7ff69d3d2018 33 API calls std::_Xinvalid_argument 27776->27930 27780 7ff69d4021d0 33 API calls 27779->27780 27781 7ff69d3d27ed __std_swap_ranges_trivially_swappable 27779->27781 27780->27781 27929 7ff69d3d3bc0 31 API calls _invalid_parameter_noinfo_noreturn 27781->27929 27783 7ff69d3d2888 27783->27711 27784->27714 27785->27726 27786->27730 27787->27714 27789 7ff69d3f2056 std::bad_alloc::bad_alloc 27788->27789 27791 7ff69d3f1fc5 std::bad_alloc::bad_alloc 27788->27791 27856 7ff69d404078 27789->27856 27792 7ff69d3f200f std::bad_alloc::bad_alloc 27791->27792 27793 7ff69d404078 Concurrency::cancel_current_task 2 API calls 27791->27793 27794 7ff69d3d6b59 27791->27794 27792->27794 27795 7ff69d404078 Concurrency::cancel_current_task 2 API calls 27792->27795 27793->27792 27794->27756 27794->27757 27794->27759 27796 7ff69d3f20a9 27795->27796 27798 7ff69d3e4780 27797->27798 27800 7ff69d3e478a 27797->27800 27799 7ff69d4021d0 33 API calls 27798->27799 27799->27800 27800->27765 27802 7ff69d3e17be __scrt_get_show_window_mode 27801->27802 27861 7ff69d3e8a48 27802->27861 27817 7ff69d3f188e 27816->27817 27819 7ff69d3f18a1 27817->27819 27881 7ff69d3ee948 27817->27881 27823 7ff69d3f18d8 27819->27823 27877 7ff69d40236c 27819->27877 27821 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 27822 7ff69d3f1ad0 27821->27822 27825 7ff69d3f1a37 27823->27825 27888 7ff69d3ea984 31 API calls _invalid_parameter_noinfo_noreturn 27823->27888 27825->27821 27826->27749 27827->27774 27829 7ff69d3d40dd 27828->27829 27831 7ff69d3d40d7 __scrt_get_show_window_mode 27828->27831 27829->27831 27889 7ff69d3d4120 27829->27889 27831->27759 27832->27764 27834 7ff69d3f1f29 27833->27834 27835 7ff69d3f1f55 27834->27835 27836 7ff69d3f1f5d 27834->27836 27837 7ff69d3f1f49 27834->27837 27925 7ff69d3f3964 151 API calls 27835->27925 27836->27770 27895 7ff69d3f20ac 27837->27895 27855->27749 27857 7ff69d4040b4 RtlPcToFileHeader 27856->27857 27858 7ff69d404097 27856->27858 27859 7ff69d4040cc 27857->27859 27860 7ff69d4040db RaiseException 27857->27860 27858->27857 27859->27860 27860->27791 27863 7ff69d3e8bcd 27861->27863 27867 7ff69d3e8a91 BuildCatchObjectHelperInternal 27861->27867 27862 7ff69d3e8c1a 27863->27862 27865 7ff69d3da174 8 API calls 27863->27865 27865->27862 27866 7ff69d3f612c 137 API calls 27866->27867 27867->27863 27867->27866 27868 7ff69d3e8c1f 27867->27868 27869 7ff69d3e4888 108 API calls 27867->27869 27870 7ff69d3e28d0 104 API calls 27867->27870 27869->27867 27870->27867 27879 7ff69d40239f 27877->27879 27878 7ff69d4023c8 27878->27823 27879->27878 27880 7ff69d3f1870 108 API calls 27879->27880 27880->27879 27882 7ff69d3eecd8 103 API calls 27881->27882 27883 7ff69d3ee95f ReleaseSemaphore 27882->27883 27884 7ff69d3ee984 27883->27884 27885 7ff69d3ee9a3 DeleteCriticalSection CloseHandle CloseHandle 27883->27885 27886 7ff69d3eea5c 101 API calls 27884->27886 27887 7ff69d3ee98e CloseHandle 27886->27887 27887->27884 27887->27885 27888->27825 27892 7ff69d3d4149 27889->27892 27894 7ff69d3d4168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27889->27894 27890 7ff69d3d2018 33 API calls 27891 7ff69d3d41eb 27890->27891 27893 7ff69d4021d0 33 API calls 27892->27893 27892->27894 27893->27894 27894->27890 27896 7ff69d3f20c8 __scrt_get_show_window_mode 27895->27896 27925->27836 27929->27783 27932 7ff69d3e8882 27931->27932 27933 7ff69d3e8892 27931->27933 27938 7ff69d3e23f0 27932->27938 27933->27370 27936 7ff69d402320 _handle_error 8 API calls 27935->27936 27937 7ff69d3df7dc 27936->27937 27937->27257 27937->27373 27939 7ff69d3e240f 27938->27939 27943 7ff69d3e2aa0 101 API calls 27939->27943 27940 7ff69d3e2428 27942 7ff69d3e2bb0 101 API calls 27940->27942 27941 7ff69d3e2438 27941->27933 27942->27941 27943->27940 27944->27384 27946 7ff69d3d5e67 27945->27946 28009 7ff69d3e85f0 27946->28009 27948 7ff69d3d6134 28019 7ff69d3d6fcc 82 API calls 27948->28019 27950 7ff69d3d69af 27952 7ff69d3d69e4 27953 7ff69d3d6973 28032 7ff69d3d466c 82 API calls 27953->28032 27955 7ff69d3d612e 27955->27948 27955->27953 27959 7ff69d3e85f0 104 API calls 27955->27959 27961 7ff69d3d61a4 27959->27961 27961->27948 27965 7ff69d3d61ac 27961->27965 27962 7ff69d3d69ef 27966 7ff69d3d623f 27965->27966 28020 7ff69d3d466c 82 API calls 27965->28020 27966->27953 28003 7ff69d3d613c 28003->27950 28003->27952 28003->27962 28007->27397 28010 7ff69d3e8614 28009->28010 28011 7ff69d3e869a 28009->28011 28013 7ff69d3d40b0 33 API calls 28010->28013 28016 7ff69d3e867c 28010->28016 28012 7ff69d3d40b0 33 API calls 28011->28012 28011->28016 28014 7ff69d3e86b3 28012->28014 28015 7ff69d3e864d 28013->28015 28018 7ff69d3e28d0 104 API calls 28014->28018 28033 7ff69d3da174 28015->28033 28016->27955 28018->28016 28019->28003 28034 7ff69d3da185 28033->28034 28035 7ff69d3da19a 28034->28035 28037 7ff69d3eaf18 8 API calls 2 library calls 28034->28037 28035->28016 28037->28035 28044 7ff69d3d9be7 28038->28044 28039 7ff69d3d9c1b 28040 7ff69d402320 _handle_error 8 API calls 28039->28040 28041 7ff69d3d9c9d 28040->28041 28041->27413 28043 7ff69d3d9c83 28046 7ff69d3d1fa0 31 API calls 28043->28046 28044->28039 28044->28043 28047 7ff69d3d9cae 28044->28047 28173 7ff69d3e5294 28044->28173 28191 7ff69d3edb60 28044->28191 28046->28039 28048 7ff69d3d9cbf 28047->28048 28195 7ff69d3eda48 CompareStringW 28047->28195 28048->28043 28050 7ff69d3d20b0 33 API calls 28048->28050 28050->28043 28064 7ff69d3e5f3a 28051->28064 28052 7ff69d3e619b 28053 7ff69d402320 _handle_error 8 API calls 28052->28053 28055 7ff69d3dfb29 28053->28055 28054 7ff69d3e61ce 28199 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 28054->28199 28057 7ff69d3d129c 33 API calls 28059 7ff69d3e6129 28057->28059 28058 7ff69d3e61d4 28060 7ff69d3d1fa0 31 API calls 28059->28060 28061 7ff69d3e613b BuildCatchObjectHelperInternal 28059->28061 28060->28061 28061->28052 28064->28052 28064->28054 28064->28057 28123->27407 28171->27461 28172->27461 28174 7ff69d3e52d4 28173->28174 28178 7ff69d3e5312 __vcrt_FlsAlloc 28174->28178 28185 7ff69d3e5339 __vcrt_FlsAlloc 28174->28185 28196 7ff69d3f13f4 CompareStringW 28174->28196 28175 7ff69d402320 _handle_error 8 API calls 28177 7ff69d3e5503 28175->28177 28177->28044 28180 7ff69d3e5382 __vcrt_FlsAlloc 28178->28180 28178->28185 28197 7ff69d3f13f4 CompareStringW 28178->28197 28181 7ff69d3d129c 33 API calls 28180->28181 28182 7ff69d3e5439 28180->28182 28180->28185 28183 7ff69d3e5426 28181->28183 28184 7ff69d3e5489 28182->28184 28187 7ff69d3e551b 28182->28187 28186 7ff69d3e72cc 8 API calls 28183->28186 28184->28185 28198 7ff69d3f13f4 CompareStringW 28184->28198 28185->28175 28186->28182 28189 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28187->28189 28190 7ff69d3e5520 28189->28190 28193 7ff69d3edb73 28191->28193 28192 7ff69d3edb91 28192->28044 28193->28192 28194 7ff69d3d20b0 33 API calls 28193->28194 28194->28192 28195->28048 28196->28178 28197->28180 28198->28185 28199->28058 28259->27578 28260->27585 28261->27589 28263 7ff69d3e87af 28262->28263 28274 7ff69d3e87df 28262->28274 28264 7ff69d40236c 108 API calls 28263->28264 28266 7ff69d3e87ca 28264->28266 28269 7ff69d40236c 108 API calls 28266->28269 28267 7ff69d40236c 108 API calls 28270 7ff69d3e8814 28267->28270 28268 7ff69d3e8845 28271 7ff69d3e461c 108 API calls 28268->28271 28269->28274 28272 7ff69d40236c 108 API calls 28270->28272 28273 7ff69d3e8851 28271->28273 28275 7ff69d3e882b 28272->28275 28274->28267 28274->28275 28276 7ff69d3e461c 28275->28276 28277 7ff69d3e4632 28276->28277 28279 7ff69d3e463a 28276->28279 28278 7ff69d3ee948 108 API calls 28277->28278 28278->28279 28279->28268 28282 7ff69d3e163e 28280->28282 28286 7ff69d3e1681 28280->28286 28281 7ff69d3e16a0 28284 7ff69d3de600 31 API calls 28281->28284 28285 7ff69d3e31bc 51 API calls 28282->28285 28282->28286 28283 7ff69d3d1fa0 31 API calls 28283->28286 28288 7ff69d3e16de 28284->28288 28285->28282 28286->28281 28286->28283 28287 7ff69d3e175b 28289 7ff69d402320 _handle_error 8 API calls 28287->28289 28288->28287 28290 7ff69d3e178d 28288->28290 28291 7ff69d3de58a 28289->28291 28292 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28290->28292 28291->27196 28291->27197 28293 7ff69d3e1792 28292->28293 28295 7ff69d3f84cc 4 API calls 28294->28295 28296 7ff69d3f84aa 28295->28296 28298 7ff69d3f84b9 28296->28298 28306 7ff69d3f8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28296->28306 28298->26558 28298->26559 28299->26564 28300->26570 28302 7ff69d3f84de 28301->28302 28303 7ff69d3f84e3 28301->28303 28307 7ff69d3f8590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28302->28307 28303->26570 28305->26573 28306->28298 28307->28303 28308->26594 28310->26623 28311->26639 28312->26646 28314->26651 25840 7ff69d40d94c 25841 7ff69d40d997 25840->25841 25845 7ff69d40d95b abort 25840->25845 25850 7ff69d40d69c 15 API calls abort 25841->25850 25843 7ff69d40d97e HeapAlloc 25844 7ff69d40d995 25843->25844 25843->25845 25845->25841 25845->25843 25847 7ff69d40bbc0 25845->25847 25851 7ff69d40bc00 25847->25851 25850->25844 25856 7ff69d40f398 EnterCriticalSection 25851->25856 28321 7ff69d40154b 28322 7ff69d4014a2 28321->28322 28323 7ff69d401900 _com_raise_error 14 API calls 28322->28323 28323->28322 28380 7ff69d400df5 14 API calls _com_raise_error 28381 7ff69d402d6c 28406 7ff69d4027fc 28381->28406 28384 7ff69d402eb8 28504 7ff69d403170 7 API calls 2 library calls 28384->28504 28385 7ff69d402d88 __scrt_acquire_startup_lock 28387 7ff69d402ec2 28385->28387 28389 7ff69d402da6 28385->28389 28505 7ff69d403170 7 API calls 2 library calls 28387->28505 28390 7ff69d402dcb 28389->28390 28397 7ff69d402de8 __scrt_release_startup_lock 28389->28397 28414 7ff69d40cd90 28389->28414 28391 7ff69d402ecd abort 28393 7ff69d402e51 28418 7ff69d4032bc 28393->28418 28395 7ff69d402e56 28421 7ff69d40cd20 28395->28421 28397->28393 28501 7ff69d40c050 35 API calls __GSHandlerCheck_EH 28397->28501 28506 7ff69d402fb0 28406->28506 28409 7ff69d40282b 28508 7ff69d40cc50 28409->28508 28410 7ff69d402827 28410->28384 28410->28385 28415 7ff69d40cdeb 28414->28415 28416 7ff69d40cdcc 28414->28416 28415->28397 28416->28415 28525 7ff69d3d1120 28416->28525 28419 7ff69d403cf0 __scrt_get_show_window_mode 28418->28419 28420 7ff69d4032d3 GetStartupInfoW 28419->28420 28420->28395 28531 7ff69d410730 28421->28531 28423 7ff69d40cd2f 28424 7ff69d402e5e 28423->28424 28535 7ff69d410ac0 35 API calls swprintf 28423->28535 28426 7ff69d400754 28424->28426 28537 7ff69d3edfd0 28426->28537 28429 7ff69d3e62dc 35 API calls 28430 7ff69d40079a 28429->28430 28614 7ff69d3f946c 28430->28614 28432 7ff69d4007a4 __scrt_get_show_window_mode 28619 7ff69d3f9a14 28432->28619 28434 7ff69d40096e GetCommandLineW 28436 7ff69d400980 28434->28436 28476 7ff69d400b42 28434->28476 28435 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28438 7ff69d400de2 28435->28438 28442 7ff69d3d129c 33 API calls 28436->28442 28437 7ff69d400819 28437->28434 28483 7ff69d400ddc 28437->28483 28440 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28438->28440 28439 7ff69d3e6454 34 API calls 28441 7ff69d400b51 28439->28441 28451 7ff69d400de8 28440->28451 28444 7ff69d3d1fa0 31 API calls 28441->28444 28449 7ff69d400b68 BuildCatchObjectHelperInternal 28441->28449 28443 7ff69d4009a5 28442->28443 28629 7ff69d3fcad0 28443->28629 28444->28449 28445 7ff69d3d1fa0 31 API calls 28446 7ff69d400b93 SetEnvironmentVariableW GetLocalTime 28445->28446 28450 7ff69d3e3e28 swprintf 46 API calls 28446->28450 28447 7ff69d401900 _com_raise_error 14 API calls 28447->28451 28449->28445 28453 7ff69d400c18 SetEnvironmentVariableW GetModuleHandleW LoadIconW 28450->28453 28451->28447 28452 7ff69d4009af 28452->28438 28455 7ff69d4009f9 OpenFileMappingW 28452->28455 28460 7ff69d400adb 28452->28460 28660 7ff69d3fb014 LoadBitmapW 28453->28660 28457 7ff69d400ad0 CloseHandle 28455->28457 28458 7ff69d400a19 MapViewOfFile 28455->28458 28457->28476 28458->28457 28461 7ff69d400a3f UnmapViewOfFile MapViewOfFile 28458->28461 28463 7ff69d3d129c 33 API calls 28460->28463 28461->28457 28464 7ff69d400a71 28461->28464 28462 7ff69d400c75 28684 7ff69d3f67b4 28462->28684 28467 7ff69d400b00 28463->28467 28691 7ff69d3fa190 33 API calls 2 library calls 28464->28691 28647 7ff69d3ffd0c 28467->28647 28469 7ff69d400a81 28472 7ff69d3ffd0c 35 API calls 28469->28472 28474 7ff69d400a90 28472->28474 28473 7ff69d3f67b4 33 API calls 28475 7ff69d400c87 DialogBoxParamW 28473->28475 28692 7ff69d3eb9b4 102 API calls 28474->28692 28484 7ff69d400cd3 28475->28484 28476->28439 28478 7ff69d400dd7 28481 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28478->28481 28479 7ff69d400aa5 28693 7ff69d3ebb00 102 API calls 28479->28693 28481->28483 28482 7ff69d400ab8 28488 7ff69d400ac7 UnmapViewOfFile 28482->28488 28483->28435 28485 7ff69d400cec 28484->28485 28486 7ff69d400ce6 Sleep 28484->28486 28487 7ff69d400cfa 28485->28487 28694 7ff69d3f9f4c 49 API calls 2 library calls 28485->28694 28486->28485 28490 7ff69d400d06 DeleteObject 28487->28490 28488->28457 28491 7ff69d400d25 28490->28491 28492 7ff69d400d1f DeleteObject 28490->28492 28493 7ff69d400d6d 28491->28493 28494 7ff69d400d5b 28491->28494 28492->28491 28687 7ff69d3f94e4 28493->28687 28695 7ff69d3ffe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 28494->28695 28497 7ff69d400d60 CloseHandle 28497->28493 28501->28393 28504->28387 28505->28391 28507 7ff69d40281e __scrt_dllmain_crt_thread_attach 28506->28507 28507->28409 28507->28410 28509 7ff69d410d4c 28508->28509 28510 7ff69d402830 28509->28510 28513 7ff69d40ec00 28509->28513 28510->28410 28512 7ff69d4051a0 7 API calls 2 library calls 28510->28512 28512->28410 28524 7ff69d40f398 EnterCriticalSection 28513->28524 28526 7ff69d3d91c8 35 API calls 28525->28526 28527 7ff69d3d1130 28526->28527 28530 7ff69d4029bc 34 API calls 28527->28530 28529 7ff69d402a01 28529->28416 28530->28529 28532 7ff69d41073d 28531->28532 28533 7ff69d410749 28531->28533 28536 7ff69d410570 48 API calls 5 library calls 28532->28536 28533->28423 28535->28423 28536->28533 28696 7ff69d402450 28537->28696 28540 7ff69d3ee026 GetProcAddress 28543 7ff69d3ee053 GetProcAddress 28540->28543 28544 7ff69d3ee03b 28540->28544 28541 7ff69d3ee503 28547 7ff69d3e6454 34 API calls 28541->28547 28542 7ff69d3ee07b 28542->28541 28703 7ff69d40b788 39 API calls 2 library calls 28542->28703 28543->28542 28545 7ff69d3ee068 28543->28545 28544->28543 28545->28542 28549 7ff69d3ee50c 28547->28549 28548 7ff69d3ee3b0 28548->28541 28551 7ff69d3ee3ba 28548->28551 28550 7ff69d3e7df4 47 API calls 28549->28550 28578 7ff69d3ee51a 28550->28578 28552 7ff69d3e6454 34 API calls 28551->28552 28553 7ff69d3ee3c3 CreateFileW 28552->28553 28555 7ff69d3ee403 SetFilePointer 28553->28555 28556 7ff69d3ee4f0 CloseHandle 28553->28556 28555->28556 28557 7ff69d3ee41c ReadFile 28555->28557 28558 7ff69d3d1fa0 31 API calls 28556->28558 28557->28556 28559 7ff69d3ee444 28557->28559 28558->28541 28560 7ff69d3ee800 28559->28560 28561 7ff69d3ee458 28559->28561 28712 7ff69d402624 8 API calls 28560->28712 28566 7ff69d3d129c 33 API calls 28561->28566 28563 7ff69d3ee805 28564 7ff69d3ee53e CompareStringW 28564->28578 28565 7ff69d3d129c 33 API calls 28565->28578 28571 7ff69d3ee48f 28566->28571 28567 7ff69d3e8090 47 API calls 28567->28578 28568 7ff69d3d1fa0 31 API calls 28568->28578 28570 7ff69d3ee63a 28572 7ff69d3ee7c2 28570->28572 28573 7ff69d3ee648 28570->28573 28575 7ff69d3ee4db 28571->28575 28704 7ff69d3ed0a0 28571->28704 28577 7ff69d3d1fa0 31 API calls 28572->28577 28708 7ff69d3e7eb0 47 API calls 28573->28708 28574 7ff69d3e32bc 51 API calls 28574->28578 28579 7ff69d3d1fa0 31 API calls 28575->28579 28581 7ff69d3ee7cb 28577->28581 28578->28564 28578->28565 28578->28567 28578->28568 28578->28574 28599 7ff69d3ee5cc 28578->28599 28698 7ff69d3e51a4 28578->28698 28582 7ff69d3ee4e5 28579->28582 28580 7ff69d3ee651 28583 7ff69d3e51a4 9 API calls 28580->28583 28585 7ff69d3d1fa0 31 API calls 28581->28585 28586 7ff69d3d1fa0 31 API calls 28582->28586 28587 7ff69d3ee656 28583->28587 28584 7ff69d3d129c 33 API calls 28584->28599 28588 7ff69d3ee7d5 28585->28588 28586->28556 28590 7ff69d3ee706 28587->28590 28596 7ff69d3ee661 28587->28596 28589 7ff69d402320 _handle_error 8 API calls 28588->28589 28593 7ff69d3ee7e4 28589->28593 28592 7ff69d3eda98 48 API calls 28590->28592 28591 7ff69d3e8090 47 API calls 28591->28599 28594 7ff69d3ee74b AllocConsole 28592->28594 28593->28429 28597 7ff69d3ee755 GetCurrentProcessId AttachConsole 28594->28597 28598 7ff69d3ee6fb 28594->28598 28595 7ff69d3d1fa0 31 API calls 28595->28599 28602 7ff69d3eaae0 48 API calls 28596->28602 28600 7ff69d3ee76c 28597->28600 28711 7ff69d3d19e0 31 API calls _invalid_parameter_noinfo_noreturn 28598->28711 28599->28570 28599->28584 28599->28591 28599->28595 28601 7ff69d3e32bc 51 API calls 28599->28601 28607 7ff69d3ee778 GetStdHandle WriteConsoleW Sleep FreeConsole 28600->28607 28601->28599 28604 7ff69d3ee6a5 28602->28604 28606 7ff69d3eda98 48 API calls 28604->28606 28605 7ff69d3ee7b9 ExitProcess 28608 7ff69d3ee6c3 28606->28608 28607->28598 28609 7ff69d3eaae0 48 API calls 28608->28609 28610 7ff69d3ee6ce 28609->28610 28709 7ff69d3edc2c 33 API calls 28610->28709 28612 7ff69d3ee6da 28710 7ff69d3d19e0 31 API calls _invalid_parameter_noinfo_noreturn 28612->28710 28615 7ff69d3edd88 28614->28615 28616 7ff69d3f9481 OleInitialize 28615->28616 28617 7ff69d3f94a7 28616->28617 28618 7ff69d3f94cd SHGetMalloc 28617->28618 28618->28432 28620 7ff69d3f9a49 28619->28620 28623 7ff69d3f9a4e BuildCatchObjectHelperInternal 28619->28623 28621 7ff69d3d1fa0 31 API calls 28620->28621 28621->28623 28622 7ff69d3d1fa0 31 API calls 28624 7ff69d3f9a7d BuildCatchObjectHelperInternal 28622->28624 28623->28622 28623->28624 28625 7ff69d3d1fa0 31 API calls 28624->28625 28626 7ff69d3f9aac BuildCatchObjectHelperInternal 28624->28626 28625->28626 28627 7ff69d3d1fa0 31 API calls 28626->28627 28628 7ff69d3f9adb BuildCatchObjectHelperInternal 28626->28628 28627->28628 28628->28437 28630 7ff69d3ed0a0 33 API calls 28629->28630 28646 7ff69d3fcb1f BuildCatchObjectHelperInternal 28630->28646 28631 7ff69d3fcd8b 28632 7ff69d3fcdbe 28631->28632 28636 7ff69d3fcde4 28631->28636 28633 7ff69d402320 _handle_error 8 API calls 28632->28633 28634 7ff69d3fcdcf 28633->28634 28634->28452 28635 7ff69d3ed0a0 33 API calls 28635->28646 28637 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28636->28637 28638 7ff69d3fcde9 28637->28638 28714 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 28638->28714 28639 7ff69d3fcdef 28715 7ff69d3d704c 47 API calls BuildCatchObjectHelperInternal 28639->28715 28643 7ff69d3fcdf5 28644 7ff69d3d1fa0 31 API calls 28644->28646 28645 7ff69d3d129c 33 API calls 28645->28646 28646->28631 28646->28635 28646->28636 28646->28638 28646->28639 28646->28644 28646->28645 28713 7ff69d3ebb00 102 API calls 28646->28713 28648 7ff69d3ffd3c SetEnvironmentVariableW 28647->28648 28649 7ff69d3ffd39 28647->28649 28650 7ff69d3ed0a0 33 API calls 28648->28650 28649->28648 28654 7ff69d3ffd74 28650->28654 28651 7ff69d3ffdc3 28652 7ff69d3ffdfa 28651->28652 28655 7ff69d3ffe1b 28651->28655 28653 7ff69d402320 _handle_error 8 API calls 28652->28653 28656 7ff69d3ffe0b 28653->28656 28654->28651 28659 7ff69d3ffdad SetEnvironmentVariableW 28654->28659 28657 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28655->28657 28656->28476 28656->28478 28658 7ff69d3ffe20 28657->28658 28659->28651 28661 7ff69d3fb03e 28660->28661 28662 7ff69d3fb046 28660->28662 28716 7ff69d3f8624 FindResourceExW 28661->28716 28664 7ff69d3fb063 28662->28664 28665 7ff69d3fb04e GetObjectW 28662->28665 28666 7ff69d3f849c 4 API calls 28664->28666 28665->28664 28667 7ff69d3fb078 28666->28667 28668 7ff69d3fb0ce 28667->28668 28669 7ff69d3fb09e 28667->28669 28670 7ff69d3f8624 11 API calls 28667->28670 28679 7ff69d3e98ac 28668->28679 28731 7ff69d3f8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28669->28731 28672 7ff69d3fb08a 28670->28672 28672->28669 28674 7ff69d3fb092 DeleteObject 28672->28674 28673 7ff69d3fb0a7 28675 7ff69d3f84cc 4 API calls 28673->28675 28674->28669 28676 7ff69d3fb0b2 28675->28676 28732 7ff69d3f8df4 16 API calls _handle_error 28676->28732 28678 7ff69d3fb0bf DeleteObject 28678->28668 28733 7ff69d3e98dc 28679->28733 28681 7ff69d3e98ba 28800 7ff69d3ea43c GetModuleHandleW FindResourceW 28681->28800 28683 7ff69d3e98c2 28683->28462 28685 7ff69d4021d0 33 API calls 28684->28685 28686 7ff69d3f67fa 28685->28686 28686->28473 28688 7ff69d3f9501 28687->28688 28689 7ff69d3f950a OleUninitialize 28688->28689 28690 7ff69d43e330 28689->28690 28691->28469 28692->28479 28693->28482 28694->28487 28695->28497 28697 7ff69d3edff4 GetModuleHandleW 28696->28697 28697->28540 28697->28542 28699 7ff69d3e51c8 GetVersionExW 28698->28699 28700 7ff69d3e51fb 28698->28700 28699->28700 28701 7ff69d402320 _handle_error 8 API calls 28700->28701 28702 7ff69d3e5228 28701->28702 28702->28578 28703->28548 28707 7ff69d3ed0d2 28704->28707 28705 7ff69d3ed106 28705->28571 28706 7ff69d3d1744 33 API calls 28706->28707 28707->28705 28707->28706 28708->28580 28709->28612 28710->28598 28711->28605 28712->28563 28713->28646 28714->28639 28715->28643 28717 7ff69d3f879b 28716->28717 28718 7ff69d3f864f SizeofResource 28716->28718 28717->28662 28718->28717 28719 7ff69d3f8669 LoadResource 28718->28719 28719->28717 28720 7ff69d3f8682 LockResource 28719->28720 28720->28717 28721 7ff69d3f8697 GlobalAlloc 28720->28721 28721->28717 28722 7ff69d3f86b8 GlobalLock 28721->28722 28723 7ff69d3f8792 GlobalFree 28722->28723 28724 7ff69d3f86ca BuildCatchObjectHelperInternal 28722->28724 28723->28717 28725 7ff69d3f86d8 CreateStreamOnHGlobal 28724->28725 28726 7ff69d3f8789 GlobalUnlock 28725->28726 28727 7ff69d3f86f6 GdipAlloc 28725->28727 28726->28723 28728 7ff69d3f870b 28727->28728 28728->28726 28729 7ff69d3f8772 28728->28729 28730 7ff69d3f875a GdipCreateHBITMAPFromBitmap 28728->28730 28729->28726 28730->28729 28731->28673 28732->28678 28736 7ff69d3e98fe _snwprintf 28733->28736 28734 7ff69d3e9973 28810 7ff69d3e68b0 48 API calls 28734->28810 28736->28734 28737 7ff69d3e9a89 28736->28737 28740 7ff69d3e99fd 28737->28740 28741 7ff69d3d20b0 33 API calls 28737->28741 28738 7ff69d3d1fa0 31 API calls 28738->28740 28739 7ff69d3e997d BuildCatchObjectHelperInternal 28739->28738 28798 7ff69d3ea42e 28739->28798 28743 7ff69d3e24c0 54 API calls 28740->28743 28741->28740 28742 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28744 7ff69d3ea434 28742->28744 28745 7ff69d3e9a1a 28743->28745 28746 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28744->28746 28747 7ff69d3e9a22 28745->28747 28755 7ff69d3e9aad 28745->28755 28748 7ff69d3ea43a 28746->28748 28749 7ff69d3e204c 100 API calls 28747->28749 28752 7ff69d3e9a2b 28749->28752 28750 7ff69d3e9b17 28802 7ff69d40a450 28750->28802 28752->28744 28754 7ff69d3e9a66 28752->28754 28758 7ff69d402320 _handle_error 8 API calls 28754->28758 28755->28750 28756 7ff69d3e8e58 33 API calls 28755->28756 28756->28755 28757 7ff69d40a450 31 API calls 28770 7ff69d3e9b57 __vcrt_FlsAlloc 28757->28770 28759 7ff69d3ea40e 28758->28759 28759->28681 28760 7ff69d3e9c89 28761 7ff69d3e2aa0 101 API calls 28760->28761 28774 7ff69d3e9d5c 28760->28774 28764 7ff69d3e9ca1 28761->28764 28762 7ff69d3e2bb0 101 API calls 28762->28770 28763 7ff69d3e28d0 104 API calls 28763->28770 28767 7ff69d3e28d0 104 API calls 28764->28767 28764->28774 28765 7ff69d3e204c 100 API calls 28768 7ff69d3ea3f5 28765->28768 28766 7ff69d3e2aa0 101 API calls 28766->28770 28771 7ff69d3e9cc9 28767->28771 28769 7ff69d3d1fa0 31 API calls 28768->28769 28769->28754 28770->28760 28770->28762 28770->28763 28770->28766 28770->28774 28773 7ff69d3e9cd7 __vcrt_FlsAlloc 28771->28773 28771->28774 28811 7ff69d3f0bbc MultiByteToWideChar 28771->28811 28773->28774 28775 7ff69d3ea1ec 28773->28775 28777 7ff69d3ea157 28773->28777 28778 7ff69d3ea14b 28773->28778 28792 7ff69d3f0f68 WideCharToMultiByte 28773->28792 28795 7ff69d3ea429 28773->28795 28812 7ff69d3eaa88 45 API calls _snwprintf 28773->28812 28813 7ff69d40a270 31 API calls 2 library calls 28773->28813 28774->28765 28791 7ff69d3ea2c2 28775->28791 28817 7ff69d40cf90 31 API calls 2 library calls 28775->28817 28777->28775 28814 7ff69d40cf90 31 API calls 2 library calls 28777->28814 28778->28681 28781 7ff69d3ea249 28818 7ff69d40b7bc 31 API calls _invalid_parameter_noinfo_noreturn 28781->28818 28782 7ff69d3ea3a2 28785 7ff69d40a450 31 API calls 28782->28785 28783 7ff69d3ea16d 28815 7ff69d40b7bc 31 API calls _invalid_parameter_noinfo_noreturn 28783->28815 28784 7ff69d3ea2ae 28784->28791 28819 7ff69d3e8cd0 33 API calls 2 library calls 28784->28819 28788 7ff69d3ea3cb 28785->28788 28786 7ff69d3e8e58 33 API calls 28786->28791 28789 7ff69d40a450 31 API calls 28788->28789 28789->28774 28791->28782 28791->28786 28792->28773 28793 7ff69d3ea1d8 28793->28775 28816 7ff69d3e8cd0 33 API calls 2 library calls 28793->28816 28820 7ff69d402624 8 API calls 28795->28820 28798->28742 28801 7ff69d3ea468 28800->28801 28801->28683 28803 7ff69d40a47d 28802->28803 28809 7ff69d40a492 28803->28809 28821 7ff69d40d69c 15 API calls abort 28803->28821 28805 7ff69d40a487 28822 7ff69d4078e4 31 API calls _invalid_parameter_noinfo 28805->28822 28807 7ff69d402320 _handle_error 8 API calls 28808 7ff69d3e9b37 28807->28808 28808->28757 28809->28807 28810->28739 28811->28773 28812->28773 28813->28773 28814->28783 28815->28793 28816->28775 28817->28781 28818->28784 28819->28791 28820->28798 28821->28805 28822->28809 28355 7ff69d40bf2c 28362 7ff69d40bc34 28355->28362 28367 7ff69d40d440 35 API calls 2 library calls 28362->28367 28364 7ff69d40bc3f 28368 7ff69d40d068 35 API calls abort 28364->28368 28367->28364 28316 7ff69d4011cf 28317 7ff69d401102 28316->28317 28318 7ff69d401900 _com_raise_error 14 API calls 28317->28318 28319 7ff69d401141 28318->28319 28330 7ff69d4003e0 28331 7ff69d40041f 28330->28331 28332 7ff69d400497 28330->28332 28333 7ff69d3eaae0 48 API calls 28331->28333 28334 7ff69d3eaae0 48 API calls 28332->28334 28336 7ff69d400433 28333->28336 28335 7ff69d4004ab 28334->28335 28337 7ff69d3eda98 48 API calls 28335->28337 28338 7ff69d3eda98 48 API calls 28336->28338 28342 7ff69d400442 BuildCatchObjectHelperInternal 28337->28342 28338->28342 28339 7ff69d3d1fa0 31 API calls 28340 7ff69d400541 28339->28340 28344 7ff69d3d250c SetDlgItemTextW 28340->28344 28341 7ff69d4005cc 28346 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28341->28346 28342->28339 28342->28341 28343 7ff69d4005c6 28342->28343 28345 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28343->28345 28347 7ff69d400556 SetWindowTextW 28344->28347 28345->28341 28350 7ff69d4005d2 28346->28350 28348 7ff69d40059c 28347->28348 28349 7ff69d40056f 28347->28349 28351 7ff69d402320 _handle_error 8 API calls 28348->28351 28349->28348 28352 7ff69d4005c1 28349->28352 28353 7ff69d4005af 28351->28353 28354 7ff69d407904 _invalid_parameter_noinfo_noreturn 31 API calls 28352->28354 28354->28343 28374 7ff69d4020f0 28375 7ff69d402106 _com_error::_com_error 28374->28375 28376 7ff69d404078 Concurrency::cancel_current_task 2 API calls 28375->28376 28377 7ff69d402117 28376->28377 28378 7ff69d401900 _com_raise_error 14 API calls 28377->28378 28379 7ff69d402163 28378->28379

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF69D3FB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                                                            • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                            • API String ID: 255727823-2702805183
                                                                                                                            • Opcode ID: 742c52f187673fa3818f90a88d37ebbd3f28f543ca0243257d190f446f9c0966
                                                                                                                            • Instruction ID: 4681655ca41a97180b20aa6371e7c4ef7ae46c1d3662620a0ec044eca4ab4ed4
                                                                                                                            • Opcode Fuzzy Hash: 742c52f187673fa3818f90a88d37ebbd3f28f543ca0243257d190f446f9c0966
                                                                                                                            • Instruction Fuzzy Hash: 98D2B562A0878641FA30DB29E8902F9A761FF96B81F40427AD9CD876E5FF3CE545C700
                                                                                                                            Function 00007FF69D3FCE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                                                            • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                            • API String ID: 3007431893-3916287355
                                                                                                                            • Opcode ID: 989edd887e5b1489d8cc5a85516bdae0c617656e8027eca2e197cd1c6dcb38f4
                                                                                                                            • Instruction ID: a9560ac2f0336afdc13e3772df46d2b8aab5f3a85211305fe3c43fcd8489db86
                                                                                                                            • Opcode Fuzzy Hash: 989edd887e5b1489d8cc5a85516bdae0c617656e8027eca2e197cd1c6dcb38f4
                                                                                                                            • Instruction Fuzzy Hash: 6913E432B04B8689FB20DF68D8442EC67B1FB46799F40017ADA9D97AD9EF38D594C340
                                                                                                                            Function 00007FF69D400754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1466 7ff69d400754-7ff69d400829 call 7ff69d3edfd0 call 7ff69d3e62dc call 7ff69d3f946c call 7ff69d403cf0 call 7ff69d3f9a14 1477 7ff69d400860-7ff69d400883 1466->1477 1478 7ff69d40082b-7ff69d400840 1466->1478 1479 7ff69d400885-7ff69d40089a 1477->1479 1480 7ff69d4008ba-7ff69d4008dd 1477->1480 1481 7ff69d400842-7ff69d400855 1478->1481 1482 7ff69d40085b call 7ff69d40220c 1478->1482 1483 7ff69d4008b5 call 7ff69d40220c 1479->1483 1484 7ff69d40089c-7ff69d4008af 1479->1484 1485 7ff69d400914-7ff69d400937 1480->1485 1486 7ff69d4008df-7ff69d4008f4 1480->1486 1481->1482 1487 7ff69d400ddd-7ff69d400de2 call 7ff69d407904 1481->1487 1482->1477 1483->1480 1484->1483 1484->1487 1492 7ff69d40096e-7ff69d40097a GetCommandLineW 1485->1492 1493 7ff69d400939-7ff69d40094e 1485->1493 1490 7ff69d40090f call 7ff69d40220c 1486->1490 1491 7ff69d4008f6-7ff69d400909 1486->1491 1501 7ff69d400de3-7ff69d400df0 call 7ff69d407904 1487->1501 1490->1485 1491->1487 1491->1490 1495 7ff69d400980-7ff69d4009b7 call 7ff69d40797c call 7ff69d3d129c call 7ff69d3fcad0 1492->1495 1496 7ff69d400b47-7ff69d400b5e call 7ff69d3e6454 1492->1496 1498 7ff69d400950-7ff69d400963 1493->1498 1499 7ff69d400969 call 7ff69d40220c 1493->1499 1526 7ff69d4009ec-7ff69d4009f3 1495->1526 1527 7ff69d4009b9-7ff69d4009cc 1495->1527 1510 7ff69d400b60-7ff69d400b85 call 7ff69d3d1fa0 call 7ff69d403640 1496->1510 1511 7ff69d400b89-7ff69d400ce4 call 7ff69d3d1fa0 SetEnvironmentVariableW GetLocalTime call 7ff69d3e3e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff69d3fb014 call 7ff69d3e98ac call 7ff69d3f67b4 * 2 DialogBoxParamW call 7ff69d3f68a8 * 2 1496->1511 1498->1487 1498->1499 1499->1492 1512 7ff69d400df5-7ff69d400e2f call 7ff69d401900 1501->1512 1510->1511 1573 7ff69d400cec-7ff69d400cf3 1511->1573 1574 7ff69d400ce6 Sleep 1511->1574 1521 7ff69d400e34-7ff69d400e81 1512->1521 1521->1512 1532 7ff69d400adb-7ff69d400b05 call 7ff69d40797c call 7ff69d3d129c call 7ff69d3ffd0c 1526->1532 1533 7ff69d4009f9-7ff69d400a13 OpenFileMappingW 1526->1533 1530 7ff69d4009ce-7ff69d4009e1 1527->1530 1531 7ff69d4009e7 call 7ff69d40220c 1527->1531 1530->1501 1530->1531 1531->1526 1552 7ff69d400b0a-7ff69d400b12 1532->1552 1538 7ff69d400ad0-7ff69d400ad9 CloseHandle 1533->1538 1539 7ff69d400a19-7ff69d400a39 MapViewOfFile 1533->1539 1538->1496 1539->1538 1542 7ff69d400a3f-7ff69d400a6f UnmapViewOfFile MapViewOfFile 1539->1542 1542->1538 1545 7ff69d400a71-7ff69d400aca call 7ff69d3fa190 call 7ff69d3ffd0c call 7ff69d3eb9b4 call 7ff69d3ebb00 call 7ff69d3ebb70 UnmapViewOfFile 1542->1545 1545->1538 1552->1496 1555 7ff69d400b14-7ff69d400b27 1552->1555 1558 7ff69d400b42 call 7ff69d40220c 1555->1558 1559 7ff69d400b29-7ff69d400b3c 1555->1559 1558->1496 1559->1558 1562 7ff69d400dd7-7ff69d400ddc call 7ff69d407904 1559->1562 1562->1487 1575 7ff69d400cf5 call 7ff69d3f9f4c 1573->1575 1576 7ff69d400cfa-7ff69d400d1d call 7ff69d3eb8e0 DeleteObject 1573->1576 1574->1573 1575->1576 1581 7ff69d400d25-7ff69d400d2c 1576->1581 1582 7ff69d400d1f DeleteObject 1576->1582 1583 7ff69d400d2e-7ff69d400d35 1581->1583 1584 7ff69d400d48-7ff69d400d59 1581->1584 1582->1581 1583->1584 1585 7ff69d400d37-7ff69d400d43 call 7ff69d3dba0c 1583->1585 1586 7ff69d400d6d-7ff69d400d7a 1584->1586 1587 7ff69d400d5b-7ff69d400d67 call 7ff69d3ffe24 CloseHandle 1584->1587 1585->1584 1588 7ff69d400d9f-7ff69d400da4 call 7ff69d3f94e4 1586->1588 1589 7ff69d400d7c-7ff69d400d89 1586->1589 1587->1586 1598 7ff69d400da9-7ff69d400dd6 call 7ff69d402320 1588->1598 1592 7ff69d400d8b-7ff69d400d93 1589->1592 1593 7ff69d400d99-7ff69d400d9b 1589->1593 1592->1588 1596 7ff69d400d95-7ff69d400d97 1592->1596 1593->1588 1597 7ff69d400d9d 1593->1597 1596->1588 1597->1588
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                            • API String ID: 1048086575-3710569615
                                                                                                                            • Opcode ID: a2d1f56a0ea0f115fb5c545e7d969dd7b349b6d85002bdedd461fc6b968f04a4
                                                                                                                            • Instruction ID: b7c2bf6bf3278b55f5b7794b14db0e7430f006a64b76b3065d6ae9dea084958b
                                                                                                                            • Opcode Fuzzy Hash: a2d1f56a0ea0f115fb5c545e7d969dd7b349b6d85002bdedd461fc6b968f04a4
                                                                                                                            • Instruction Fuzzy Hash: DE12B261A18B8681FB30DB28E9412B9B361FF95B94F404275DADDC6AA9FF3CE154C700
                                                                                                                            Function 00007FF69D3EA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                                                            • String ID: $%s:$CAPTION
                                                                                                                            • API String ID: 2100155373-404845831
                                                                                                                            • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                            • Instruction ID: 1d8478033cbb82457a94e0db7d2ea1ab994480f25bf28bdd5a2366c0fe460672
                                                                                                                            • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                            • Instruction Fuzzy Hash: D391DA32B2864187E724DF29E400679A7A1FB85B84F545535EECE97B98DF3CE805CB40
                                                                                                                            Function 00007FF69D3F8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                            • String ID: PNG
                                                                                                                            • API String ID: 211097158-364855578
                                                                                                                            • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                            • Instruction ID: 83cf7a8047e0d55a7bce9c8a196123885fe135f86ad32231069fd3dd4eba9fa0
                                                                                                                            • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                            • Instruction Fuzzy Hash: 07414C65A09B0681FF298B1AD944379A3A0EF99FD5F080579CE8D873A4FF7CE4499700
                                                                                                                            Function 00007FF69D3DF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: __tmp_reference_source_
                                                                                                                            • API String ID: 3668304517-685763994
                                                                                                                            • Opcode ID: 39d84d88c4dc0d2d040a6a2f9a1c948ef6b0e0f1946ebfa1f8e71d5bc605ccae
                                                                                                                            • Instruction ID: 18c0084838b66d5beb5af6b1d8d475d64a995c5ea4c12e3c76c45f95f919726d
                                                                                                                            • Opcode Fuzzy Hash: 39d84d88c4dc0d2d040a6a2f9a1c948ef6b0e0f1946ebfa1f8e71d5bc605ccae
                                                                                                                            • Instruction Fuzzy Hash: 23E2A562A086C292EA74CB65D1403BEE761FB82781F40417ADBDD936E5EF3CE854C710
                                                                                                                            Function 00007FF69D3D4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: CMT
                                                                                                                            • API String ID: 3668304517-2756464174
                                                                                                                            • Opcode ID: d27e10a47ab199182401eb8f629d16e0782fa570b7d722cbddcdfe00517a4b91
                                                                                                                            • Instruction ID: e840118261d1aad67d025abdfc5d607fd853250f73922cab11b4ea7721ddc2ec
                                                                                                                            • Opcode Fuzzy Hash: d27e10a47ab199182401eb8f629d16e0782fa570b7d722cbddcdfe00517a4b91
                                                                                                                            • Instruction Fuzzy Hash: 42E21422B0868286EB38DB75D5402FDA7A1FB56785F44017ADA9E83BD6EF3CE454C700
                                                                                                                            Function 00007FF69D3E40BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 3712 7ff69d3e40bc-7ff69d3e40f3 3713 7ff69d3e41d2-7ff69d3e41df FindNextFileW 3712->3713 3714 7ff69d3e40f9-7ff69d3e4101 3712->3714 3717 7ff69d3e41f3-7ff69d3e41f6 3713->3717 3718 7ff69d3e41e1-7ff69d3e41f1 GetLastError 3713->3718 3715 7ff69d3e4103 3714->3715 3716 7ff69d3e4106-7ff69d3e4118 FindFirstFileW 3714->3716 3715->3716 3716->3717 3721 7ff69d3e411e-7ff69d3e4146 call 7ff69d3e6a0c 3716->3721 3719 7ff69d3e4211-7ff69d3e4253 call 7ff69d40797c call 7ff69d3d129c call 7ff69d3e8090 3717->3719 3720 7ff69d3e41f8-7ff69d3e4200 3717->3720 3722 7ff69d3e41ca-7ff69d3e41cd 3718->3722 3748 7ff69d3e4255-7ff69d3e426c 3719->3748 3749 7ff69d3e428c-7ff69d3e42e6 call 7ff69d3ef168 * 3 3719->3749 3724 7ff69d3e4202 3720->3724 3725 7ff69d3e4205-7ff69d3e420c call 7ff69d3d20b0 3720->3725 3732 7ff69d3e4167-7ff69d3e4170 3721->3732 3733 7ff69d3e4148-7ff69d3e4164 FindFirstFileW 3721->3733 3727 7ff69d3e42eb-7ff69d3e430e call 7ff69d402320 3722->3727 3724->3725 3725->3719 3736 7ff69d3e4172-7ff69d3e4189 3732->3736 3737 7ff69d3e41a9-7ff69d3e41ad 3732->3737 3733->3732 3739 7ff69d3e41a4 call 7ff69d40220c 3736->3739 3740 7ff69d3e418b-7ff69d3e419e 3736->3740 3737->3717 3741 7ff69d3e41af-7ff69d3e41be GetLastError 3737->3741 3739->3737 3740->3739 3743 7ff69d3e4315-7ff69d3e431b call 7ff69d407904 3740->3743 3745 7ff69d3e41c0-7ff69d3e41c6 3741->3745 3746 7ff69d3e41c8 3741->3746 3745->3722 3745->3746 3746->3722 3752 7ff69d3e426e-7ff69d3e4281 3748->3752 3753 7ff69d3e4287 call 7ff69d40220c 3748->3753 3749->3727 3752->3753 3756 7ff69d3e430f-7ff69d3e4314 call 7ff69d407904 3752->3756 3753->3749 3756->3743
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 474548282-0
                                                                                                                            • Opcode ID: e946e08dc8eba9ecab1b1533132c2bb6995f9a4699fd30eb303f74d9a567b386
                                                                                                                            • Instruction ID: c6c4f687002b04d1e4ac3ec76fcedd0d04060310b2e087350d0256af40f5fa00
                                                                                                                            • Opcode Fuzzy Hash: e946e08dc8eba9ecab1b1533132c2bb6995f9a4699fd30eb303f74d9a567b386
                                                                                                                            • Instruction Fuzzy Hash: 1261B662A0864682EE209B25E44027DA361FF9ABF5F505375EAFD836D9EF3CD944C700
                                                                                                                            Function 00007FF69D3D5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 3849 7ff69d3d5e24-7ff69d3d6129 call 7ff69d3e833c call 7ff69d3e85f0 3855 7ff69d3d612e-7ff69d3d6132 3849->3855 3856 7ff69d3d6134-7ff69d3d613c call 7ff69d3d6fcc 3855->3856 3857 7ff69d3d6141-7ff69d3d6171 call 7ff69d3e83d8 call 7ff69d3e8570 call 7ff69d3e8528 3855->3857 3862 7ff69d3d697b 3856->3862 3875 7ff69d3d6973-7ff69d3d6976 call 7ff69d3d466c 3857->3875 3876 7ff69d3d6177-7ff69d3d6179 3857->3876 3864 7ff69d3d697e-7ff69d3d6985 3862->3864 3866 7ff69d3d69b4-7ff69d3d69e3 call 7ff69d402320 3864->3866 3867 7ff69d3d6987-7ff69d3d6998 3864->3867 3869 7ff69d3d69af call 7ff69d40220c 3867->3869 3870 7ff69d3d699a-7ff69d3d69ad 3867->3870 3869->3866 3870->3869 3873 7ff69d3d69e4-7ff69d3d69e9 call 7ff69d407904 3870->3873 3884 7ff69d3d69ea-7ff69d3d69ef call 7ff69d407904 3873->3884 3875->3862 3876->3875 3878 7ff69d3d617f-7ff69d3d6189 3876->3878 3878->3875 3881 7ff69d3d618f-7ff69d3d6192 3878->3881 3881->3875 3883 7ff69d3d6198-7ff69d3d61aa call 7ff69d3e85f0 3881->3883 3883->3856 3889 7ff69d3d61ac-7ff69d3d61fd call 7ff69d3e84f8 call 7ff69d3e8528 * 2 3883->3889 3890 7ff69d3d69f0-7ff69d3d69f7 call 7ff69d407904 3884->3890 3899 7ff69d3d623f-7ff69d3d6249 3889->3899 3900 7ff69d3d61ff-7ff69d3d6222 call 7ff69d3d466c call 7ff69d3dba0c 3889->3900 3902 7ff69d3d624b-7ff69d3d6260 call 7ff69d3e8528 3899->3902 3903 7ff69d3d6266-7ff69d3d6270 3899->3903 3900->3899 3917 7ff69d3d6224-7ff69d3d622e call 7ff69d3d433c 3900->3917 3902->3875 3902->3903 3904 7ff69d3d6272-7ff69d3d627b call 7ff69d3e8528 3903->3904 3905 7ff69d3d627e-7ff69d3d6296 call 7ff69d3d334c 3903->3905 3904->3905 3915 7ff69d3d62b3 3905->3915 3916 7ff69d3d6298-7ff69d3d629b 3905->3916 3919 7ff69d3d62b6-7ff69d3d62c8 3915->3919 3916->3915 3918 7ff69d3d629d-7ff69d3d62b1 3916->3918 3917->3899 3918->3915 3918->3919 3921 7ff69d3d62ce-7ff69d3d62d1 3919->3921 3922 7ff69d3d68b7-7ff69d3d6929 call 7ff69d3e4d04 call 7ff69d3e8528 3919->3922 3923 7ff69d3d6481-7ff69d3d64f4 call 7ff69d3e4c74 call 7ff69d3e8528 * 2 3921->3923 3924 7ff69d3d62d7-7ff69d3d62da 3921->3924 3939 7ff69d3d692b-7ff69d3d6934 call 7ff69d3e8528 3922->3939 3940 7ff69d3d6936 3922->3940 3955 7ff69d3d64f6-7ff69d3d6500 3923->3955 3956 7ff69d3d6507-7ff69d3d6533 call 7ff69d3e8528 3923->3956 3924->3923 3927 7ff69d3d62e0-7ff69d3d62e3 3924->3927 3930 7ff69d3d62e5-7ff69d3d62e8 3927->3930 3931 7ff69d3d632e-7ff69d3d6353 call 7ff69d3e8528 3927->3931 3935 7ff69d3d62ee-7ff69d3d6329 call 7ff69d3e8528 3930->3935 3936 7ff69d3d696d-7ff69d3d6971 3930->3936 3946 7ff69d3d6355-7ff69d3d638f call 7ff69d3d4228 call 7ff69d3d3c84 call 7ff69d3d701c call 7ff69d3d1fa0 3931->3946 3947 7ff69d3d639e-7ff69d3d63c5 call 7ff69d3e8528 call 7ff69d3e8384 3931->3947 3935->3936 3936->3864 3948 7ff69d3d6939-7ff69d3d6946 3939->3948 3940->3948 3996 7ff69d3d6390-7ff69d3d6399 call 7ff69d3d1fa0 3946->3996 3968 7ff69d3d6402-7ff69d3d641f call 7ff69d3e8444 3947->3968 3969 7ff69d3d63c7-7ff69d3d6400 call 7ff69d3d4228 call 7ff69d3d3c84 call 7ff69d3d701c call 7ff69d3d1fa0 3947->3969 3953 7ff69d3d694c 3948->3953 3954 7ff69d3d6948-7ff69d3d694a 3948->3954 3959 7ff69d3d694f-7ff69d3d6959 3953->3959 3954->3953 3954->3959 3955->3956 3970 7ff69d3d6535-7ff69d3d6544 call 7ff69d3e83d8 call 7ff69d3ef134 3956->3970 3971 7ff69d3d6549-7ff69d3d6557 3956->3971 3959->3936 3963 7ff69d3d695b-7ff69d3d6968 call 7ff69d3d4840 3959->3963 3963->3936 3986 7ff69d3d6475-7ff69d3d647c 3968->3986 3987 7ff69d3d6421-7ff69d3d646f call 7ff69d3e8444 * 2 call 7ff69d3ec800 call 7ff69d404a70 3968->3987 3969->3996 3970->3971 3977 7ff69d3d6572-7ff69d3d6595 call 7ff69d3e8528 3971->3977 3978 7ff69d3d6559-7ff69d3d656c call 7ff69d3e83d8 3971->3978 3992 7ff69d3d65a0-7ff69d3d65b0 3977->3992 3993 7ff69d3d6597-7ff69d3d659e 3977->3993 3978->3977 3986->3936 3987->3986 3997 7ff69d3d65b3-7ff69d3d65eb call 7ff69d3e8528 * 2 3992->3997 3993->3997 3996->3947 4013 7ff69d3d65ed-7ff69d3d65f4 3997->4013 4014 7ff69d3d65f6-7ff69d3d65fa 3997->4014 4016 7ff69d3d6603-7ff69d3d6632 4013->4016 4014->4016 4018 7ff69d3d65fc 4014->4018 4019 7ff69d3d6634-7ff69d3d6638 4016->4019 4020 7ff69d3d663f 4016->4020 4018->4016 4019->4020 4022 7ff69d3d663a-7ff69d3d663d 4019->4022 4021 7ff69d3d6641-7ff69d3d6656 4020->4021 4023 7ff69d3d66ca 4021->4023 4024 7ff69d3d6658-7ff69d3d665b 4021->4024 4022->4021 4026 7ff69d3d66d2-7ff69d3d6731 call 7ff69d3d3d00 call 7ff69d3e8444 call 7ff69d3f0d54 4023->4026 4024->4023 4025 7ff69d3d665d-7ff69d3d6683 4024->4025 4025->4026 4027 7ff69d3d6685-7ff69d3d66a9 4025->4027 4037 7ff69d3d6733-7ff69d3d6740 call 7ff69d3d4840 4026->4037 4038 7ff69d3d6745-7ff69d3d6749 4026->4038 4029 7ff69d3d66b2-7ff69d3d66bf 4027->4029 4030 7ff69d3d66ab 4027->4030 4029->4026 4032 7ff69d3d66c1-7ff69d3d66c8 4029->4032 4030->4029 4032->4026 4037->4038 4040 7ff69d3d675b-7ff69d3d6772 call 7ff69d40797c 4038->4040 4041 7ff69d3d674b-7ff69d3d6756 call 7ff69d3d473c 4038->4041 4047 7ff69d3d6774 4040->4047 4048 7ff69d3d6777-7ff69d3d677e 4040->4048 4046 7ff69d3d6859-7ff69d3d6860 4041->4046 4049 7ff69d3d6862-7ff69d3d6872 call 7ff69d3d433c 4046->4049 4050 7ff69d3d6873-7ff69d3d687b 4046->4050 4047->4048 4051 7ff69d3d67a3-7ff69d3d67ba call 7ff69d40797c 4048->4051 4052 7ff69d3d6780-7ff69d3d6783 4048->4052 4049->4050 4050->3936 4055 7ff69d3d6881-7ff69d3d6892 4050->4055 4063 7ff69d3d67bf-7ff69d3d67c6 4051->4063 4064 7ff69d3d67bc 4051->4064 4056 7ff69d3d6785 4052->4056 4057 7ff69d3d679c 4052->4057 4060 7ff69d3d6894-7ff69d3d68a7 4055->4060 4061 7ff69d3d68ad-7ff69d3d68b2 call 7ff69d40220c 4055->4061 4062 7ff69d3d6788-7ff69d3d6791 4056->4062 4057->4051 4060->3890 4060->4061 4061->3936 4062->4051 4066 7ff69d3d6793-7ff69d3d679a 4062->4066 4063->4046 4067 7ff69d3d67cc-7ff69d3d67cf 4063->4067 4064->4063 4066->4057 4066->4062 4069 7ff69d3d67d1 4067->4069 4070 7ff69d3d67e8-7ff69d3d67f0 4067->4070 4071 7ff69d3d67d4-7ff69d3d67dd 4069->4071 4070->4046 4072 7ff69d3d67f2-7ff69d3d6826 call 7ff69d3e8360 call 7ff69d3e8598 call 7ff69d3e8528 4070->4072 4071->4046 4073 7ff69d3d67df-7ff69d3d67e6 4071->4073 4072->4046 4080 7ff69d3d6828-7ff69d3d6839 4072->4080 4073->4070 4073->4071 4081 7ff69d3d6854 call 7ff69d40220c 4080->4081 4082 7ff69d3d683b-7ff69d3d684e 4080->4082 4081->4046 4082->3884 4082->4081
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: CMT
                                                                                                                            • API String ID: 0-2756464174
                                                                                                                            • Opcode ID: 589854a86694341a55c69b07c8121abed16d2d53b78a965ac968b8bdafdd2d04
                                                                                                                            • Instruction ID: 7c6c34d880e295252d1a53b32a41f51e946a926099e4f1990b9a9eb20888d416
                                                                                                                            • Opcode Fuzzy Hash: 589854a86694341a55c69b07c8121abed16d2d53b78a965ac968b8bdafdd2d04
                                                                                                                            • Instruction Fuzzy Hash: 7A42E422F0868597EB28DB74D1502FDB7A1EB52785F00417ADBAE936D6EF38E518C700
                                                                                                                            Function 00007FF69D3F1F20 Relevance: .3, Instructions: 337COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
                                                                                                                            • Instruction ID: ea5220f52a9caf220302ffddc0d562e54a7937e93427b066878a90fc0fa0d2bc
                                                                                                                            • Opcode Fuzzy Hash: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
                                                                                                                            • Instruction Fuzzy Hash: 32E1D123A082868AFB74CF2EA4442BDBB90FB46749F054179DBCE87785EE3CE5459704
                                                                                                                            Function 00007FF69D3F3484 Relevance: .3, Instructions: 302COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                            • Instruction ID: 38eca5f8ca8f1761561f6fa01e7c27940c767d9c11fd279fc25c8634a909c3cd
                                                                                                                            • Opcode Fuzzy Hash: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                            • Instruction Fuzzy Hash: B7B1D1A2B057C992EE68CAAAD6086E9A391F746FC5F44803ADE8D47740EF3CE155D300
                                                                                                                            Function 00007FF69D3E4928 Relevance: .1, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3340455307-0
                                                                                                                            • Opcode ID: fd8835e4233293591ea5a8582186aba0aa2126ac905c183a9a3c131a0123eb89
                                                                                                                            • Instruction ID: 6db86c6cfdbe8c1595e9e299b1b6ae9290df87957fcfb697250585bec4347e1a
                                                                                                                            • Opcode Fuzzy Hash: fd8835e4233293591ea5a8582186aba0aa2126ac905c183a9a3c131a0123eb89
                                                                                                                            • Instruction Fuzzy Hash: 1E415822B1565687FBB4DF22E80037AA242FBC9794F048038DE8D977D4EE3CE8428304
                                                                                                                            Function 00007FF69D3EDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 7ff69d3edfd0-7ff69d3ee024 call 7ff69d402450 GetModuleHandleW 3 7ff69d3ee07b-7ff69d3ee3a5 0->3 4 7ff69d3ee026-7ff69d3ee039 GetProcAddress 0->4 5 7ff69d3ee503-7ff69d3ee521 call 7ff69d3e6454 call 7ff69d3e7df4 3->5 6 7ff69d3ee3ab-7ff69d3ee3b4 call 7ff69d40b788 3->6 7 7ff69d3ee053-7ff69d3ee066 GetProcAddress 4->7 8 7ff69d3ee03b-7ff69d3ee04a 4->8 19 7ff69d3ee525-7ff69d3ee52f call 7ff69d3e51a4 5->19 6->5 16 7ff69d3ee3ba-7ff69d3ee3fd call 7ff69d3e6454 CreateFileW 6->16 7->3 9 7ff69d3ee068-7ff69d3ee078 7->9 8->7 9->3 22 7ff69d3ee403-7ff69d3ee416 SetFilePointer 16->22 23 7ff69d3ee4f0-7ff69d3ee4fe CloseHandle call 7ff69d3d1fa0 16->23 27 7ff69d3ee564-7ff69d3ee5ac call 7ff69d40797c call 7ff69d3d129c call 7ff69d3e8090 call 7ff69d3d1fa0 call 7ff69d3e32bc 19->27 28 7ff69d3ee531-7ff69d3ee53c call 7ff69d3edd88 19->28 22->23 25 7ff69d3ee41c-7ff69d3ee43e ReadFile 22->25 23->5 25->23 29 7ff69d3ee444-7ff69d3ee452 25->29 66 7ff69d3ee5b1-7ff69d3ee5b4 27->66 28->27 39 7ff69d3ee53e-7ff69d3ee562 CompareStringW 28->39 32 7ff69d3ee800-7ff69d3ee807 call 7ff69d402624 29->32 33 7ff69d3ee458-7ff69d3ee4ac call 7ff69d40797c call 7ff69d3d129c 29->33 48 7ff69d3ee4c3-7ff69d3ee4d9 call 7ff69d3ed0a0 33->48 39->27 43 7ff69d3ee5bd-7ff69d3ee5c6 39->43 43->19 46 7ff69d3ee5cc 43->46 49 7ff69d3ee5d1-7ff69d3ee5d4 46->49 61 7ff69d3ee4ae-7ff69d3ee4be call 7ff69d3edd88 48->61 62 7ff69d3ee4db-7ff69d3ee4eb call 7ff69d3d1fa0 * 2 48->62 53 7ff69d3ee63f-7ff69d3ee642 49->53 54 7ff69d3ee5d6-7ff69d3ee5d9 49->54 57 7ff69d3ee7c2-7ff69d3ee7ff call 7ff69d3d1fa0 * 2 call 7ff69d402320 53->57 58 7ff69d3ee648-7ff69d3ee65b call 7ff69d3e7eb0 call 7ff69d3e51a4 53->58 59 7ff69d3ee5dd-7ff69d3ee62d call 7ff69d40797c call 7ff69d3d129c call 7ff69d3e8090 call 7ff69d3d1fa0 call 7ff69d3e32bc 54->59 83 7ff69d3ee661-7ff69d3ee701 call 7ff69d3edd88 * 2 call 7ff69d3eaae0 call 7ff69d3eda98 call 7ff69d3eaae0 call 7ff69d3edc2c call 7ff69d3f87ac call 7ff69d3d19e0 58->83 84 7ff69d3ee706-7ff69d3ee753 call 7ff69d3eda98 AllocConsole 58->84 107 7ff69d3ee62f-7ff69d3ee638 59->107 108 7ff69d3ee63c 59->108 61->48 62->23 72 7ff69d3ee5ce 66->72 73 7ff69d3ee5b6 66->73 72->49 73->43 100 7ff69d3ee7b4-7ff69d3ee7bb call 7ff69d3d19e0 ExitProcess 83->100 94 7ff69d3ee755-7ff69d3ee7aa GetCurrentProcessId AttachConsole call 7ff69d3ee868 call 7ff69d3ee858 GetStdHandle WriteConsoleW Sleep FreeConsole 84->94 95 7ff69d3ee7b0 84->95 94->95 95->100 107->59 112 7ff69d3ee63a 107->112 108->53 112->53
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                                                            • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                            • API String ID: 1496594111-2013832382
                                                                                                                            • Opcode ID: bfe5db74f0fd1cd693d0168678ddf1d659d8a0076dfe9363f5784d622136a130
                                                                                                                            • Instruction ID: 390bd4f7d2fd625b1d61760ee0bcc228bcd6961b3d3ea7c0d0b6ace7237b0291
                                                                                                                            • Opcode Fuzzy Hash: bfe5db74f0fd1cd693d0168678ddf1d659d8a0076dfe9363f5784d622136a130
                                                                                                                            • Instruction Fuzzy Hash: 29323732A09B8299EB318F60E8401E973A4FF55754F50027ADADD967A9FF3CE664C340
                                                                                                                            Function 00007FF69D3E98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3E8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69D3E8F8D
                                                                                                                            • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF69D3E9F75
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3EA42F
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3EA435
                                                                                                                              • Part of subcall function 00007FF69D3F0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF69D3F0B44), ref: 00007FF69D3F0BE9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                            • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                            • API String ID: 3629253777-3268106645
                                                                                                                            • Opcode ID: 4481dc18d9aef213357de604d4dac9df87b50023ae57810c60626698e7ae2a67
                                                                                                                            • Instruction ID: b9eeaf25b57bf9d0cbfdb7fc927528cac1fa97a23d09ff5c09147add015b930b
                                                                                                                            • Opcode Fuzzy Hash: 4481dc18d9aef213357de604d4dac9df87b50023ae57810c60626698e7ae2a67
                                                                                                                            • Instruction Fuzzy Hash: 0962E122B1978286EB30DF25D4442BDA361FB52B85F804179DA8E976D5FF3CE944C360
                                                                                                                            Function 00007FF69D401900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1911 7ff69d401900-7ff69d401989 call 7ff69d401558 1914 7ff69d4019b4-7ff69d4019d1 1911->1914 1915 7ff69d40198b-7ff69d4019af call 7ff69d401868 RaiseException 1911->1915 1917 7ff69d4019d3-7ff69d4019e4 1914->1917 1918 7ff69d4019e6-7ff69d4019ea 1914->1918 1921 7ff69d401bb8-7ff69d401bd5 1915->1921 1920 7ff69d4019ed-7ff69d4019f9 1917->1920 1918->1920 1922 7ff69d4019fb-7ff69d401a0d 1920->1922 1923 7ff69d401a1a-7ff69d401a1d 1920->1923 1931 7ff69d401a13 1922->1931 1932 7ff69d401b89-7ff69d401b93 1922->1932 1924 7ff69d401ac4-7ff69d401acb 1923->1924 1925 7ff69d401a23-7ff69d401a26 1923->1925 1926 7ff69d401adf-7ff69d401ae2 1924->1926 1927 7ff69d401acd-7ff69d401adc 1924->1927 1928 7ff69d401a3d-7ff69d401a52 LoadLibraryExA 1925->1928 1929 7ff69d401a28-7ff69d401a3b 1925->1929 1933 7ff69d401b85 1926->1933 1934 7ff69d401ae8-7ff69d401aec 1926->1934 1927->1926 1935 7ff69d401a54-7ff69d401a67 GetLastError 1928->1935 1936 7ff69d401aa9-7ff69d401ab2 1928->1936 1929->1928 1929->1936 1931->1923 1941 7ff69d401b95-7ff69d401ba6 1932->1941 1942 7ff69d401bb0 call 7ff69d401868 1932->1942 1933->1932 1939 7ff69d401aee-7ff69d401af2 1934->1939 1940 7ff69d401b1b-7ff69d401b2e GetProcAddress 1934->1940 1943 7ff69d401a7e-7ff69d401aa4 call 7ff69d401868 RaiseException 1935->1943 1944 7ff69d401a69-7ff69d401a7c 1935->1944 1945 7ff69d401ab4-7ff69d401ab7 FreeLibrary 1936->1945 1946 7ff69d401abd 1936->1946 1939->1940 1947 7ff69d401af4-7ff69d401aff 1939->1947 1940->1933 1950 7ff69d401b30-7ff69d401b43 GetLastError 1940->1950 1941->1942 1953 7ff69d401bb5 1942->1953 1943->1921 1944->1936 1944->1943 1945->1946 1946->1924 1947->1940 1951 7ff69d401b01-7ff69d401b08 1947->1951 1955 7ff69d401b45-7ff69d401b58 1950->1955 1956 7ff69d401b5a-7ff69d401b81 call 7ff69d401868 RaiseException call 7ff69d401558 1950->1956 1951->1940 1958 7ff69d401b0a-7ff69d401b0f 1951->1958 1953->1921 1955->1933 1955->1956 1956->1933 1958->1940 1961 7ff69d401b11-7ff69d401b19 1958->1961 1961->1933 1961->1940
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                                                            • String ID: H
                                                                                                                            • API String ID: 3432403771-2852464175
                                                                                                                            • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                            • Instruction ID: d184ef546a0e1b331a6b546a9da43d07014a90d39dd470da6c112a3a9633804c
                                                                                                                            • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                            • Instruction Fuzzy Hash: 8F915732A05B528AEB20CFA5D8806A833B1FB29F98F444579DE8D97B54FF38E555C700
                                                                                                                            Function 00007FF69D3FF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1989 7ff69d3ff4e0-7ff69d3ff523 1990 7ff69d3ff894-7ff69d3ff8b9 call 7ff69d3d1fa0 call 7ff69d402320 1989->1990 1991 7ff69d3ff529-7ff69d3ff565 call 7ff69d403cf0 1989->1991 1997 7ff69d3ff56a-7ff69d3ff571 1991->1997 1998 7ff69d3ff567 1991->1998 2000 7ff69d3ff573-7ff69d3ff577 1997->2000 2001 7ff69d3ff582-7ff69d3ff586 1997->2001 1998->1997 2002 7ff69d3ff57c-7ff69d3ff580 2000->2002 2003 7ff69d3ff579 2000->2003 2004 7ff69d3ff58b-7ff69d3ff596 2001->2004 2005 7ff69d3ff588 2001->2005 2002->2004 2003->2002 2006 7ff69d3ff59c 2004->2006 2007 7ff69d3ff628 2004->2007 2005->2004 2009 7ff69d3ff5a2-7ff69d3ff5a9 2006->2009 2008 7ff69d3ff62c-7ff69d3ff62f 2007->2008 2010 7ff69d3ff631-7ff69d3ff635 2008->2010 2011 7ff69d3ff637-7ff69d3ff63a 2008->2011 2012 7ff69d3ff5ae-7ff69d3ff5b3 2009->2012 2013 7ff69d3ff5ab 2009->2013 2010->2011 2014 7ff69d3ff660-7ff69d3ff673 call 7ff69d3e63ac 2010->2014 2011->2014 2015 7ff69d3ff63c-7ff69d3ff643 2011->2015 2016 7ff69d3ff5e5-7ff69d3ff5f0 2012->2016 2017 7ff69d3ff5b5 2012->2017 2013->2012 2032 7ff69d3ff675-7ff69d3ff693 call 7ff69d3f13c4 2014->2032 2033 7ff69d3ff698-7ff69d3ff6ed call 7ff69d40797c call 7ff69d3d129c call 7ff69d3e32a8 call 7ff69d3d1fa0 2014->2033 2015->2014 2019 7ff69d3ff645-7ff69d3ff65c 2015->2019 2021 7ff69d3ff5f5-7ff69d3ff5fa 2016->2021 2022 7ff69d3ff5f2 2016->2022 2018 7ff69d3ff5ca-7ff69d3ff5d0 2017->2018 2023 7ff69d3ff5d2 2018->2023 2024 7ff69d3ff5b7-7ff69d3ff5be 2018->2024 2019->2014 2026 7ff69d3ff600-7ff69d3ff607 2021->2026 2027 7ff69d3ff8ba-7ff69d3ff8c1 2021->2027 2022->2021 2023->2016 2028 7ff69d3ff5c3-7ff69d3ff5c8 2024->2028 2029 7ff69d3ff5c0 2024->2029 2034 7ff69d3ff60c-7ff69d3ff612 2026->2034 2035 7ff69d3ff609 2026->2035 2030 7ff69d3ff8c3 2027->2030 2031 7ff69d3ff8c6-7ff69d3ff8cb 2027->2031 2028->2018 2036 7ff69d3ff5d4-7ff69d3ff5db 2028->2036 2029->2028 2030->2031 2037 7ff69d3ff8de-7ff69d3ff8e6 2031->2037 2038 7ff69d3ff8cd-7ff69d3ff8d4 2031->2038 2032->2033 2056 7ff69d3ff742-7ff69d3ff74f ShellExecuteExW 2033->2056 2057 7ff69d3ff6ef-7ff69d3ff73d call 7ff69d40797c call 7ff69d3d129c call 7ff69d3e5b60 call 7ff69d3d1fa0 2033->2057 2034->2027 2041 7ff69d3ff618-7ff69d3ff622 2034->2041 2035->2034 2042 7ff69d3ff5e0 2036->2042 2043 7ff69d3ff5dd 2036->2043 2046 7ff69d3ff8eb-7ff69d3ff8f6 2037->2046 2047 7ff69d3ff8e8 2037->2047 2044 7ff69d3ff8d9 2038->2044 2045 7ff69d3ff8d6 2038->2045 2041->2007 2041->2009 2042->2016 2043->2042 2044->2037 2045->2044 2046->2008 2047->2046 2059 7ff69d3ff755-7ff69d3ff75f 2056->2059 2060 7ff69d3ff846-7ff69d3ff84e 2056->2060 2057->2056 2064 7ff69d3ff761-7ff69d3ff764 2059->2064 2065 7ff69d3ff76f-7ff69d3ff772 2059->2065 2062 7ff69d3ff882-7ff69d3ff88f 2060->2062 2063 7ff69d3ff850-7ff69d3ff866 2060->2063 2062->1990 2070 7ff69d3ff87d call 7ff69d40220c 2063->2070 2071 7ff69d3ff868-7ff69d3ff87b 2063->2071 2064->2065 2066 7ff69d3ff766-7ff69d3ff76d 2064->2066 2067 7ff69d3ff774-7ff69d3ff77f call 7ff69d43e188 2065->2067 2068 7ff69d3ff78e-7ff69d3ff7ad call 7ff69d43e1b8 call 7ff69d3ffe24 2065->2068 2066->2065 2072 7ff69d3ff7e3-7ff69d3ff7f0 CloseHandle 2066->2072 2067->2068 2087 7ff69d3ff781-7ff69d3ff78c ShowWindow 2067->2087 2068->2072 2097 7ff69d3ff7af-7ff69d3ff7b2 2068->2097 2070->2062 2071->2070 2076 7ff69d3ff8fb-7ff69d3ff903 call 7ff69d407904 2071->2076 2082 7ff69d3ff805-7ff69d3ff80c 2072->2082 2083 7ff69d3ff7f2-7ff69d3ff803 call 7ff69d3f13c4 2072->2083 2085 7ff69d3ff82e-7ff69d3ff830 2082->2085 2086 7ff69d3ff80e-7ff69d3ff811 2082->2086 2083->2082 2083->2085 2085->2060 2093 7ff69d3ff832-7ff69d3ff835 2085->2093 2086->2085 2092 7ff69d3ff813-7ff69d3ff828 2086->2092 2087->2068 2092->2085 2093->2060 2096 7ff69d3ff837-7ff69d3ff845 ShowWindow 2093->2096 2096->2060 2097->2072 2099 7ff69d3ff7b4-7ff69d3ff7c5 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff69d3ff7c7-7ff69d3ff7dc 2099->2100 2100->2072
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: .exe$.inf$Install$p
                                                                                                                            • API String ID: 1054546013-3607691742
                                                                                                                            • Opcode ID: 169854d1da345eb311f85763710173a518587d7cc33cadbf2b322f6e3284e820
                                                                                                                            • Instruction ID: fe7bbce98974e94552f40c83111104f36bc05f58548e27be147f8573c78fb5fd
                                                                                                                            • Opcode Fuzzy Hash: 169854d1da345eb311f85763710173a518587d7cc33cadbf2b322f6e3284e820
                                                                                                                            • Instruction Fuzzy Hash: FAC19F62F08A4695FB20CB69D940279A3A1EF96B85F0444B9CECD877A5FF3CE459D300
                                                                                                                            Function 00007FF69D3FF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3569833718-0
                                                                                                                            • Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                            • Instruction ID: 3491e7832f935f82e968f7ffbaa0c573587101d4b359fb64c282233afddc813e
                                                                                                                            • Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                            • Instruction Fuzzy Hash: A3411431B1464286F320DF69E900BEA7360EB89F98F440275DD9E87B95EF3DE4498744
                                                                                                                            Function 00007FF69D3DEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: b032c4203464d7d21da07e69d79c0e4c121b5a0544032b27186c1858430c0b4e
                                                                                                                            • Instruction ID: 4bee1ab699dcab63eec531f6c4d0c535c4918dc69c87bf2f8b45b7427eb30bc1
                                                                                                                            • Opcode Fuzzy Hash: b032c4203464d7d21da07e69d79c0e4c121b5a0544032b27186c1858430c0b4e
                                                                                                                            • Instruction Fuzzy Hash: AF12E662F0878185FB20CB65D4842BDA371EB467A9F40027ADE9C57AD9EF3CD585C740
                                                                                                                            Function 00007FF69D3E24C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 3763 7ff69d3e24c0-7ff69d3e24fb 3764 7ff69d3e24fd-7ff69d3e2504 3763->3764 3765 7ff69d3e2506 3763->3765 3764->3765 3766 7ff69d3e2509-7ff69d3e2578 3764->3766 3765->3766 3767 7ff69d3e257a 3766->3767 3768 7ff69d3e257d-7ff69d3e25a8 CreateFileW 3766->3768 3767->3768 3769 7ff69d3e25ae-7ff69d3e25de GetLastError call 7ff69d3e6a0c 3768->3769 3770 7ff69d3e2688-7ff69d3e268d 3768->3770 3776 7ff69d3e25e0-7ff69d3e262a CreateFileW GetLastError 3769->3776 3777 7ff69d3e262c 3769->3777 3772 7ff69d3e2693-7ff69d3e2697 3770->3772 3774 7ff69d3e26a5-7ff69d3e26a9 3772->3774 3775 7ff69d3e2699-7ff69d3e269c 3772->3775 3779 7ff69d3e26cf-7ff69d3e26e3 3774->3779 3780 7ff69d3e26ab-7ff69d3e26af 3774->3780 3775->3774 3778 7ff69d3e269e 3775->3778 3784 7ff69d3e2632-7ff69d3e263a 3776->3784 3777->3784 3778->3774 3782 7ff69d3e26e5-7ff69d3e26f0 3779->3782 3783 7ff69d3e270c-7ff69d3e2735 call 7ff69d402320 3779->3783 3780->3779 3781 7ff69d3e26b1-7ff69d3e26c9 SetFileTime 3780->3781 3781->3779 3785 7ff69d3e26f2-7ff69d3e26fa 3782->3785 3786 7ff69d3e2708 3782->3786 3787 7ff69d3e2673-7ff69d3e2686 3784->3787 3788 7ff69d3e263c-7ff69d3e2653 3784->3788 3790 7ff69d3e26ff-7ff69d3e2703 call 7ff69d3d20b0 3785->3790 3791 7ff69d3e26fc 3785->3791 3786->3783 3787->3772 3792 7ff69d3e2655-7ff69d3e2668 3788->3792 3793 7ff69d3e266e call 7ff69d40220c 3788->3793 3790->3786 3791->3790 3792->3793 3796 7ff69d3e2736-7ff69d3e273b call 7ff69d407904 3792->3796 3793->3787
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3536497005-0
                                                                                                                            • Opcode ID: 3a28dd0dcfd7b89b689d9fe25ecc7464786bdc3a32dccfb94d5fbab1a7314792
                                                                                                                            • Instruction ID: 5ab20aa3f89149391ad508a775ea5266e1227eeaf713d9189a16b4bb8c767580
                                                                                                                            • Opcode Fuzzy Hash: 3a28dd0dcfd7b89b689d9fe25ecc7464786bdc3a32dccfb94d5fbab1a7314792
                                                                                                                            • Instruction Fuzzy Hash: 9D61E366A1864186E7308B2AE50037EA7A1FB95BA8F101338DFE943AD9EF7DD454C740
                                                                                                                            Function 00007FF69D3FFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 3800 7ff69d3ffd0c-7ff69d3ffd37 3801 7ff69d3ffd3c-7ff69d3ffd76 SetEnvironmentVariableW call 7ff69d3ed0a0 3800->3801 3802 7ff69d3ffd39 3800->3802 3805 7ff69d3ffdc3-7ff69d3ffdcb 3801->3805 3806 7ff69d3ffd78 3801->3806 3802->3801 3807 7ff69d3ffdff-7ff69d3ffe1a call 7ff69d402320 3805->3807 3808 7ff69d3ffdcd-7ff69d3ffde3 3805->3808 3809 7ff69d3ffd7c-7ff69d3ffd84 3806->3809 3810 7ff69d3ffde5-7ff69d3ffdf8 3808->3810 3811 7ff69d3ffdfa call 7ff69d40220c 3808->3811 3813 7ff69d3ffd89-7ff69d3ffd94 call 7ff69d3ed4c0 3809->3813 3814 7ff69d3ffd86 3809->3814 3810->3811 3815 7ff69d3ffe1b-7ff69d3ffe23 call 7ff69d407904 3810->3815 3811->3807 3822 7ff69d3ffda3-7ff69d3ffda8 3813->3822 3823 7ff69d3ffd96-7ff69d3ffda1 3813->3823 3814->3813 3824 7ff69d3ffdad-7ff69d3ffdc2 SetEnvironmentVariableW 3822->3824 3825 7ff69d3ffdaa 3822->3825 3823->3809 3824->3805 3825->3824
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: sfxcmd$sfxpar
                                                                                                                            • API String ID: 3540648995-3493335439
                                                                                                                            • Opcode ID: f7f09a535254ba7702706040489ea7439e58d63b661cc729fc85acc9afefde13
                                                                                                                            • Instruction ID: 5ab7444682ce873189ed0d649e773ba6e749ffa1e5cb3c715bc4c131d8dd557a
                                                                                                                            • Opcode Fuzzy Hash: f7f09a535254ba7702706040489ea7439e58d63b661cc729fc85acc9afefde13
                                                                                                                            • Instruction Fuzzy Hash: 9231BE32B14B0A84FB10CB69E8841BC7371FB59B99F140175EE9D977A9EE38E056C344
                                                                                                                            Function 00007FF69D3FB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                                                            • String ID: ]
                                                                                                                            • API String ID: 3561356813-3352871620
                                                                                                                            • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                            • Instruction ID: da9b94929f17642b08fe7ab0768e948aaf6a69380486d4cbd05bff4a6c32be58
                                                                                                                            • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                            • Instruction Fuzzy Hash: 74119360B0924742FE349B29A754379D6A1EF8ABC1F0801B8D99D87B99FF3CE8059700
                                                                                                                            Function 00007FF69D3FAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1266772231-0
                                                                                                                            • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                            • Instruction ID: e53ff5da9ff4bf925d6c9dae95f3b5712e8bba826d0298b0fd07b165bbcdffaa
                                                                                                                            • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                            • Instruction Fuzzy Hash: 1CF0EC25B3954282FB609B28E995B76A361FFE0B05F845575E58E81894EF3CD508CB00
                                                                                                                            Function 00007FF69D3F91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                            • String ID: EDIT
                                                                                                                            • API String ID: 4243998846-3080729518
                                                                                                                            • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                            • Instruction ID: 2e0eef34399e912b4792234b57351f5a23b2dc0ef0cdeed983c5c11e265972eb
                                                                                                                            • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                            • Instruction Fuzzy Hash: 1201D121B18A4B81FE308F29F8107FAA390EFA9B84F440171CD8D86695FF3CE14A9710
                                                                                                                            Function 00007FF69D3E2CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 4099 7ff69d3e2ce0-7ff69d3e2d0a 4100 7ff69d3e2d13-7ff69d3e2d1b 4099->4100 4101 7ff69d3e2d0c-7ff69d3e2d0e 4099->4101 4103 7ff69d3e2d2b 4100->4103 4104 7ff69d3e2d1d-7ff69d3e2d28 GetStdHandle 4100->4104 4102 7ff69d3e2ea9-7ff69d3e2ec4 call 7ff69d402320 4101->4102 4106 7ff69d3e2d31-7ff69d3e2d3d 4103->4106 4104->4103 4108 7ff69d3e2d3f-7ff69d3e2d44 4106->4108 4109 7ff69d3e2d86-7ff69d3e2da2 WriteFile 4106->4109 4110 7ff69d3e2daf-7ff69d3e2db3 4108->4110 4111 7ff69d3e2d46-7ff69d3e2d7a WriteFile 4108->4111 4112 7ff69d3e2da6-7ff69d3e2da9 4109->4112 4114 7ff69d3e2ea2-7ff69d3e2ea6 4110->4114 4115 7ff69d3e2db9-7ff69d3e2dbd 4110->4115 4111->4112 4113 7ff69d3e2d7c-7ff69d3e2d82 4111->4113 4112->4110 4112->4114 4113->4111 4116 7ff69d3e2d84 4113->4116 4114->4102 4115->4114 4117 7ff69d3e2dc3-7ff69d3e2dd8 call 7ff69d3db4f8 4115->4117 4116->4112 4120 7ff69d3e2e1e-7ff69d3e2e6d call 7ff69d40797c call 7ff69d3d129c call 7ff69d3dbca8 4117->4120 4121 7ff69d3e2dda-7ff69d3e2de1 4117->4121 4120->4114 4132 7ff69d3e2e6f-7ff69d3e2e86 4120->4132 4121->4106 4122 7ff69d3e2de7-7ff69d3e2de9 4121->4122 4122->4106 4124 7ff69d3e2def-7ff69d3e2e19 4122->4124 4124->4106 4133 7ff69d3e2e9d call 7ff69d40220c 4132->4133 4134 7ff69d3e2e88-7ff69d3e2e9b 4132->4134 4133->4114 4134->4133 4135 7ff69d3e2ec5-7ff69d3e2ecb call 7ff69d407904 4134->4135
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite$Handle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4209713984-0
                                                                                                                            • Opcode ID: 36bd0183a846d9ba9312903715bf2ef21d1db3e0abb52a3d50b28083c89a0b57
                                                                                                                            • Instruction ID: 13c0d0a1b3f3b81ab8d65c3ad76faebbab074c9ce91d683829262e8dfca8d077
                                                                                                                            • Opcode Fuzzy Hash: 36bd0183a846d9ba9312903715bf2ef21d1db3e0abb52a3d50b28083c89a0b57
                                                                                                                            • Instruction Fuzzy Hash: 95511666A1A64292FB30CB26D44477AA320FF96B95F040175EB8D87AD0EF3CE885C310
                                                                                                                            Function 00007FF69D4003E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2912839123-0
                                                                                                                            • Opcode ID: 9d86a8420a7792e6f88eb21becf175b056acef0070f0453ebeef36762228c97e
                                                                                                                            • Instruction ID: fde1b49fb7e0e97043f8d1f3a07e7eae6bdaaaf4d295dabcc9aefe0ec7e4627e
                                                                                                                            • Opcode Fuzzy Hash: 9d86a8420a7792e6f88eb21becf175b056acef0070f0453ebeef36762228c97e
                                                                                                                            • Instruction Fuzzy Hash: 3B51AF62F24A5285FB20DBA5D8442BD2362EF55FE4F400676DA9C96BD6FF6CD440C300
                                                                                                                            Function 00007FF69D3E3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2359106489-0
                                                                                                                            • Opcode ID: 5814b9c7a086e01b4622e2271a69726981060c022a5840e5c002a72d6478cc70
                                                                                                                            • Instruction ID: ca016ebc34040bba58c32d74d568ceb960700a1a0d70581e6ec55c8e126f2e41
                                                                                                                            • Opcode Fuzzy Hash: 5814b9c7a086e01b4622e2271a69726981060c022a5840e5c002a72d6478cc70
                                                                                                                            • Instruction Fuzzy Hash: 5231D562A0C68242EB309B65A484279A351FF8ABE2F500275EEDDC36D5EF3CE9458610
                                                                                                                            Function 00007FF69D402D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1452418845-0
                                                                                                                            • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                            • Instruction ID: 96ee8baebc15f6bd3d0eff3cee81b09aed2c2af2969fe44650fbc8b617432bbd
                                                                                                                            • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                            • Instruction Fuzzy Hash: 99314B21A4814382FB74ABA4D4953BA2291EF61FC4F4444B4DACECB6D3FE2CA804C391
                                                                                                                            Function 00007FF69D3E2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FileHandleRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2244327787-0
                                                                                                                            • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                            • Instruction ID: da43baea7d4f5f5570dc24abd0b3ae91306a54a6d21779f3147ed549a07eff56
                                                                                                                            • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                            • Instruction Fuzzy Hash: FF218025E0C54682EA709B12A400239E7A0FF46B95F144578DADD8E7CAEF7CDC858B21
                                                                                                                            Function 00007FF69D3EE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3EECD8: ResetEvent.KERNEL32 ref: 00007FF69D3EECF1
                                                                                                                              • Part of subcall function 00007FF69D3EECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF69D3EED07
                                                                                                                            • ReleaseSemaphore.KERNEL32 ref: 00007FF69D3EE974
                                                                                                                            • CloseHandle.KERNELBASE ref: 00007FF69D3EE993
                                                                                                                            • DeleteCriticalSection.KERNEL32 ref: 00007FF69D3EE9AA
                                                                                                                            • CloseHandle.KERNEL32 ref: 00007FF69D3EE9B7
                                                                                                                              • Part of subcall function 00007FF69D3EEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF69D3EE95F,?,?,?,00007FF69D3E463A,?,?,?), ref: 00007FF69D3EEA63
                                                                                                                              • Part of subcall function 00007FF69D3EEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF69D3EE95F,?,?,?,00007FF69D3E463A,?,?,?), ref: 00007FF69D3EEA6E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 502429940-0
                                                                                                                            • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                            • Instruction ID: 03726dd71eb0a2cdce87d33bf9cccf6924d7bca5584addd0a338cefeaf4e5b4b
                                                                                                                            • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                            • Instruction Fuzzy Hash: 34014033A14A81E3E668DB21E54426DB370FB84BC0F004075DBAD53665DF39E5B4C740
                                                                                                                            Function 00007FF69D3EEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreatePriority
                                                                                                                            • String ID: CreateThread failed
                                                                                                                            • API String ID: 2610526550-3849766595
                                                                                                                            • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                            • Instruction ID: e28d9b0dcc6eb87f4b8c84d707c0c76453dfa8a41a625efe3a35046ac3b3ed16
                                                                                                                            • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                            • Instruction Fuzzy Hash: 2B118231A08A4292EB20DF14E94127AB370FB84B85F5442B9DACD86668FF7CE955C700
                                                                                                                            Function 00007FF69D3F946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryInitializeMallocSystem
                                                                                                                            • String ID: riched20.dll
                                                                                                                            • API String ID: 174490985-3360196438
                                                                                                                            • Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                                                            • Instruction ID: d6962dd6279b67bf9ed0a1eadb64f6be7323fb98bc46117a3160ac3893a273f9
                                                                                                                            • Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                                                            • Instruction Fuzzy Hash: 66F0C231619A8182EB208F24F4042AEB3A0FF88B54F400135EACD827A4EF7CD15DCF00
                                                                                                                            Function 00007FF69D3F095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3F853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF69D3F856C
                                                                                                                              • Part of subcall function 00007FF69D3EAAE0: LoadStringW.USER32 ref: 00007FF69D3EAB67
                                                                                                                              • Part of subcall function 00007FF69D3EAAE0: LoadStringW.USER32 ref: 00007FF69D3EAB80
                                                                                                                              • Part of subcall function 00007FF69D3D1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3D1FFB
                                                                                                                              • Part of subcall function 00007FF69D3D129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69D3D1396
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D4001BB
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D4001C1
                                                                                                                            • SendDlgItemMessageW.USER32 ref: 00007FF69D4001F2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3106221260-0
                                                                                                                            • Opcode ID: b98ddc23f822b25780982341285801c07b730c9a0f7987e100b58a9b2dcae35e
                                                                                                                            • Instruction ID: d62c8557147df9bff62a0bed0b3c20b2e2aa37fd998e9a2559728350fcc44819
                                                                                                                            • Opcode Fuzzy Hash: b98ddc23f822b25780982341285801c07b730c9a0f7987e100b58a9b2dcae35e
                                                                                                                            • Instruction Fuzzy Hash: 3151C262F1464286FB209BA5D4412FD6322EB96BC4F40427ADE8D9B7DAFE3CE540C340
                                                                                                                            Function 00007FF69D3E2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2272807158-0
                                                                                                                            • Opcode ID: 0c3154c3ea30730f01a4f8c09a6becc7efe45a6579d5a839052cc1f3b70dbf60
                                                                                                                            • Instruction ID: de7f87b0cb03cfd04d9325d5b5a7d829f650d5bca55c0513cabf9c7c026888a0
                                                                                                                            • Opcode Fuzzy Hash: 0c3154c3ea30730f01a4f8c09a6becc7efe45a6579d5a839052cc1f3b70dbf60
                                                                                                                            • Instruction Fuzzy Hash: C941D576A0878582EB648B16E444279A3A0FB85BB5F504378DFED43AD5EF3CE890C700
                                                                                                                            Function 00007FF69D3D23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2176759853-0
                                                                                                                            • Opcode ID: 7a493db6b2aa3cd2f88e086a9d80210bd8f4b3ce53d8088c5f8b34bcaf14f9b4
                                                                                                                            • Instruction ID: 05e72255ed52c2b0190c066958a6a117e1b333189abc78e29aab226684191fca
                                                                                                                            • Opcode Fuzzy Hash: 7a493db6b2aa3cd2f88e086a9d80210bd8f4b3ce53d8088c5f8b34bcaf14f9b4
                                                                                                                            • Instruction Fuzzy Hash: A321A272A28B8181EA208B65E44017AB364FB99FD0F144236EFDD43B95EF3CD190CB40
                                                                                                                            Function 00007FF69D3F1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::bad_alloc::bad_alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1875163511-0
                                                                                                                            • Opcode ID: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
                                                                                                                            • Instruction ID: b1b5bb97a0c6cd08efe59d002201f4a91391210b230e397b6a06ea5ca29abd48
                                                                                                                            • Opcode Fuzzy Hash: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
                                                                                                                            • Instruction Fuzzy Hash: 0B31F513A0C68B91FB309719E4443BDA3A0FB51B84F844475E2CCD26A9EF7CE946D301
                                                                                                                            Function 00007FF69D3E3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1203560049-0
                                                                                                                            • Opcode ID: f54af9b99a092d8e3351366c83bb5c41e52826feeb3933286249cd948367a950
                                                                                                                            • Instruction ID: 5259b7bb1f4effb3cb7075e833d91a0c8f4dc34223b2bcf38d7bffb5ef4ec716
                                                                                                                            • Opcode Fuzzy Hash: f54af9b99a092d8e3351366c83bb5c41e52826feeb3933286249cd948367a950
                                                                                                                            • Instruction Fuzzy Hash: 4421F822A18A8182EB308B65E45527AB360FFD9BD5F004274EEDD826D5FF3CD540C700
                                                                                                                            Function 00007FF69D3E31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3118131910-0
                                                                                                                            • Opcode ID: 932ad18ef346e480087a3096a192501f062bfc4628e0a3d12bdedb18b4200694
                                                                                                                            • Instruction ID: 06bb7a117b10acc4c2688e2fa3220cbf683856574b7ac26d7bcc0853629d680e
                                                                                                                            • Opcode Fuzzy Hash: 932ad18ef346e480087a3096a192501f062bfc4628e0a3d12bdedb18b4200694
                                                                                                                            • Instruction Fuzzy Hash: 0D21B632A1878182EA308B25E44427EB360FF95FD5F505274EADD86AD9EF3CD540C710
                                                                                                                            Function 00007FF69D3E32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1203560049-0
                                                                                                                            • Opcode ID: 85da30fe1743cc553a0db4a1375168b1f74b8b313009b96f55f923233ac5e066
                                                                                                                            • Instruction ID: 93afa78898ebb29f9f2529d2be90a07bba8fb12e9079e55d626e9d3de8590e0d
                                                                                                                            • Opcode Fuzzy Hash: 85da30fe1743cc553a0db4a1375168b1f74b8b313009b96f55f923233ac5e066
                                                                                                                            • Instruction Fuzzy Hash: C7218872A1878182EA208B69F44413AA361FBD9BE5F500375EADD877E5EF3CD541C700
                                                                                                                            Function 00007FF69D40BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1703294689-0
                                                                                                                            • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                            • Instruction ID: e04c9300581f3cafd649286aaa4bbe78888a6aed1c2da8e485da19dd9fd7cb7a
                                                                                                                            • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                            • Instruction Fuzzy Hash: D5E04F24B0430A46EB746B31D8953792352EFA8F81F1044B8D88EC3396EE3DA4198701
                                                                                                                            Function 00007FF69D3DF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3DF895
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3DF89B
                                                                                                                              • Part of subcall function 00007FF69D3E3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF69D3F0811), ref: 00007FF69D3E3EFD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3587649625-0
                                                                                                                            • Opcode ID: abac5961cfafabc3220617da669e052178e1b4ce155dde1e053a2b2b34b986b7
                                                                                                                            • Instruction ID: fa47ea92f34af657490c48b95f23ef25e73c307b889bae47d290dba7614903b2
                                                                                                                            • Opcode Fuzzy Hash: abac5961cfafabc3220617da669e052178e1b4ce155dde1e053a2b2b34b986b7
                                                                                                                            • Instruction Fuzzy Hash: 9F91C273A18BC190EB20DF64D8801EDA361FB857D9F90417AEA9C87AE9EF78D545C700
                                                                                                                            Function 00007FF69D3D3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: 059fe93b6b6045c61731c70e0e29f52abe1320b84121e6dc329f1e36eead177c
                                                                                                                            • Instruction ID: b39dcb3694ee0c75e9b284e5b1943553fbb68810c5ac54d710ec6f7d00b31598
                                                                                                                            • Opcode Fuzzy Hash: 059fe93b6b6045c61731c70e0e29f52abe1320b84121e6dc329f1e36eead177c
                                                                                                                            • Instruction Fuzzy Hash: 0841D562F1465184FB20DBB5D4403BD6320EF46BD8F14527AEE9DA7ADAEE38D4828700
                                                                                                                            Function 00007FF69D3E2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF69D3E274D), ref: 00007FF69D3E28A9
                                                                                                                            • GetLastError.KERNEL32(?,00007FF69D3E274D), ref: 00007FF69D3E28B8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2976181284-0
                                                                                                                            • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                            • Instruction ID: 688be919089d147559ad18331c86fd359db17bafb0b387c685ebcd094a94450d
                                                                                                                            • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                            • Instruction Fuzzy Hash: D031D026B19A5683EA704B2BD9406B9A390EF16FD5F040175DE9D877E0EF3CEC828350
                                                                                                                            Function 00007FF69D3D22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1746051919-0
                                                                                                                            • Opcode ID: 3846a219fa003ef6eba4311ff2349970a98922bd5935619b32e66c41ec2b6e9c
                                                                                                                            • Instruction ID: 597db2323738f4dc701f6daf91477ae27623a15b3be2dd1e2953e4fd1a328a8f
                                                                                                                            • Opcode Fuzzy Hash: 3846a219fa003ef6eba4311ff2349970a98922bd5935619b32e66c41ec2b6e9c
                                                                                                                            • Instruction Fuzzy Hash: 4131B422A1874542EB209B56F44536EB360EB95BD0F444276EBDC47BD5EF3CE1518B00
                                                                                                                            Function 00007FF69D3E2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$BuffersFlushTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1392018926-0
                                                                                                                            • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                            • Instruction ID: c3e6ce72ec0df3e098bfcd322562de4b48331d1a2584d364adb4362261784645
                                                                                                                            • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                            • Instruction Fuzzy Hash: 4B21B226E0DB479AEA728E12D4047BAD790EF02796F1540B5DE8C862D5FEBCDD86C310
                                                                                                                            Function 00007FF69D3EAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2948472770-0
                                                                                                                            • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                            • Instruction ID: d6cc5b4e46d4feb884803abb2a1ef0e1b48b8b3d5809e5da7215da9aa9d91013
                                                                                                                            • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                            • Instruction Fuzzy Hash: B3118E70B0964186EA209F1ABA40068F7A1FF99FC0F5445B9CE9DE3761EF7CE5418384
                                                                                                                            Function 00007FF69D3E2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2976181284-0
                                                                                                                            • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                            • Instruction ID: 96cf5e6cecfc06185d11e26fb1295fcf140081196f99c1e21b27508a0e9f2040
                                                                                                                            • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                            • Instruction Fuzzy Hash: E611EC25A0864682FB708F26E84027DA360FF46BB5F540375DABD862D4EF3CD992C300
                                                                                                                            Function 00007FF69D3D255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemRectTextWindow$Clientswprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3322643685-0
                                                                                                                            • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                            • Instruction ID: f7381ff7d208ff75e3cb0c38bacac6acf68b30e8d0e962f5254b5179a5896ecc
                                                                                                                            • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                            • Instruction Fuzzy Hash: F0017518A0D24A41FF755757A5546B9D752DF86B49F0801B9DCCD863D9FE2CE884C700
                                                                                                                            Function 00007FF69D3EEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69D3EEBAD,?,?,?,?,00007FF69D3E5752,?,?,?,00007FF69D3E56DE), ref: 00007FF69D3EEB5C
                                                                                                                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF69D3EEB6F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$AffinityCurrentMask
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1231390398-0
                                                                                                                            • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                            • Instruction ID: aeb247f54d160a4094ba256ce1aaee2b0bac962e97ab21a1d4006a5ef75912fc
                                                                                                                            • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                            • Instruction Fuzzy Hash: 2AE02B61F2854743DF298F55D4405E9B392FFC8F40B848035D64BC3614FE2CE5458B00
                                                                                                                            Function 00007FF69D4021D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1173176844-0
                                                                                                                            • Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                                                            • Instruction ID: 2705c02008a42c901039bc2db80ac0865aac4dc34b0c51e93d317868f540c632
                                                                                                                            • Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                                                            • Instruction Fuzzy Hash: C7E0EC40E1D10742FF7822B198A61B50054CF39BF0E5C17B4DAFE886C2BD1CA4A19310
                                                                                                                            Function 00007FF69D40D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 485612231-0
                                                                                                                            • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                            • Instruction ID: b734323d64df198fc6e79ecabe806e422db91dee735a84e9ecff15b274361913
                                                                                                                            • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                            • Instruction Fuzzy Hash: 78E0EC60E0950396FF38ABF2DC456B85291DFB8F95F0844B4C98DC6792FF2CA5998701
                                                                                                                            Function 00007FF69D3D33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: bdf8625448bd8dcd1def64a6508c1891a019ebdf0eaa44acf70db7eea19c6d5a
                                                                                                                            • Instruction ID: e769f950b1122d7abf10a57e2aab2172d35398780d906b8ea2b5fa4505c88427
                                                                                                                            • Opcode Fuzzy Hash: bdf8625448bd8dcd1def64a6508c1891a019ebdf0eaa44acf70db7eea19c6d5a
                                                                                                                            • Instruction Fuzzy Hash: E4D1CB72B0868156EB788B65D5402B9E7A1FB16BC5F04007ACB9D877A5EF3CF8648B01
                                                                                                                            Function 00007FF69D3E5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1017591355-0
                                                                                                                            • Opcode ID: cc14dedd2e5cc10f866aa6caa5d21262f0f150b8de9e36933eecb23af5082f8f
                                                                                                                            • Instruction ID: 814dbd15b03f04e274f721fbf542acdc611126f11ceec2c580fe71fdcd15d779
                                                                                                                            • Opcode Fuzzy Hash: cc14dedd2e5cc10f866aa6caa5d21262f0f150b8de9e36933eecb23af5082f8f
                                                                                                                            • Instruction Fuzzy Hash: B3610511A0C64783FA749A1594152BAD291EF62BD2F1446B9EECDC6EC6FE7CEC408720
                                                                                                                            Function 00007FF69D3F1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3EE948: ReleaseSemaphore.KERNEL32 ref: 00007FF69D3EE974
                                                                                                                              • Part of subcall function 00007FF69D3EE948: CloseHandle.KERNELBASE ref: 00007FF69D3EE993
                                                                                                                              • Part of subcall function 00007FF69D3EE948: DeleteCriticalSection.KERNEL32 ref: 00007FF69D3EE9AA
                                                                                                                              • Part of subcall function 00007FF69D3EE948: CloseHandle.KERNEL32 ref: 00007FF69D3EE9B7
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3F1ACB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 904680172-0
                                                                                                                            • Opcode ID: d290ff0340b2f7b8c481c765b1242dc1c9e961513c2e25b7a8d04bd0f0df45e2
                                                                                                                            • Instruction ID: d6ff83b4afc57a7c01961c9cb32c03563e6edd2529ce577db0856e94d1501e61
                                                                                                                            • Opcode Fuzzy Hash: d290ff0340b2f7b8c481c765b1242dc1c9e961513c2e25b7a8d04bd0f0df45e2
                                                                                                                            • Instruction Fuzzy Hash: 2C61B162B1568992FE28DB69E1940BCB364FB41FD0B54427AD7AD47AC2EF3CE4708300
                                                                                                                            Function 00007FF69D3DEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: 8224b7fd2a7b3993909c7b7cd0f713fda73a3d1a31d87bfd609fddd8dd81cd72
                                                                                                                            • Instruction ID: 7343094116c22122ca69f968194f9a3a627b30d36ad0059a569fb2483c620614
                                                                                                                            • Opcode Fuzzy Hash: 8224b7fd2a7b3993909c7b7cd0f713fda73a3d1a31d87bfd609fddd8dd81cd72
                                                                                                                            • Instruction Fuzzy Hash: C951D4A2A0864245EA309B25D4443B9AB51FB86BC5F48017AEECD873D6EE3DE485C700
                                                                                                                            Function 00007FF69D3DE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3E3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF69D3F0811), ref: 00007FF69D3E3EFD
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3DE993
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1011579015-0
                                                                                                                            • Opcode ID: a98b459d02bd845be10ee4858e1a476889abeecdc2f1b3a80362524ddef0ea38
                                                                                                                            • Instruction ID: aba38da692068fce625375d21a32d51b0f56342988e98c1fad9e507d430b70f8
                                                                                                                            • Opcode Fuzzy Hash: a98b459d02bd845be10ee4858e1a476889abeecdc2f1b3a80362524ddef0ea38
                                                                                                                            • Instruction Fuzzy Hash: A951AE22A0868682FB708F24D48437DA761FF86F85F55027AEADD976A5EF3CD441CB10
                                                                                                                            Function 00007FF69D3E1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: c20f63e52e72bc26c2744a67b0854ddd180641c775e0ec6010bc83974cb5c62d
                                                                                                                            • Instruction ID: 776ca101f3b949844df924467ff7f85d10dd9918cab360ced60ea5936325203b
                                                                                                                            • Opcode Fuzzy Hash: c20f63e52e72bc26c2744a67b0854ddd180641c775e0ec6010bc83974cb5c62d
                                                                                                                            • Instruction Fuzzy Hash: 51410A62B1869142EB248B17E540379E251FB85FC1F44853AEE9C87F8AEF3CD8518340
                                                                                                                            Function 00007FF69D3E2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: 83ad35d64ea7fd9ec499ef84e65e7ac41e5a751faf938eb3350802b96480f739
                                                                                                                            • Instruction ID: 1edbbc1958f941a4703b9152870290bce0f691c6f6e0f10e90f98bb44ce8a8ab
                                                                                                                            • Opcode Fuzzy Hash: 83ad35d64ea7fd9ec499ef84e65e7ac41e5a751faf938eb3350802b96480f739
                                                                                                                            • Instruction Fuzzy Hash: 67411762A0870582EF309B25E145379A360EB96BD6F040179EACE877D9EF3DEC418710
                                                                                                                            Function 00007FF69D40BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3947729631-0
                                                                                                                            • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                            • Instruction ID: d48513a1a17d7f988d52091550e5a33e6643e7d17276d5ecd75106711fcec916
                                                                                                                            • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                            • Instruction Fuzzy Hash: 51419F22A1864282FB349B25D95017862A1EF78FC0F5444B6DB8DC76A1FF7DE841C786
                                                                                                                            Function 00007FF69D3D129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 680105476-0
                                                                                                                            • Opcode ID: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
                                                                                                                            • Instruction ID: 1329413f37edd19b6771f3e50ffae8c8cb7a05494612b756e79b5a843a1dd4e9
                                                                                                                            • Opcode Fuzzy Hash: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
                                                                                                                            • Instruction Fuzzy Hash: 29218322A0865186EB249B92E400279A250EB06BF1F580B76DFBD87BD5EE7CE0518744
                                                                                                                            Function 00007FF69D41124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3215553584-0
                                                                                                                            • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                            • Instruction ID: c60f9f178b7210dad9ee4ba2b3e5da2c33604645272c33a8cc2ae81a71cdadd1
                                                                                                                            • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                            • Instruction Fuzzy Hash: 4B115B32A1C68286F7309F54E580679B2A5FB60B80F5505B5EACDD7A96FF3CE8208704
                                                                                                                            Function 00007FF69D3D3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: e211765aad0e482f14211f193c2fa738a397cbf9b51fc622cf430de4bdc09e7c
                                                                                                                            • Instruction ID: 85b8a9efc953cc24e3e0c83385184ff48545ed0d96487f718b6d1d968ed3b0fa
                                                                                                                            • Opcode Fuzzy Hash: e211765aad0e482f14211f193c2fa738a397cbf9b51fc622cf430de4bdc09e7c
                                                                                                                            • Instruction Fuzzy Hash: BE0104A2E1868541EA319768E4412297361FF9AB91F804276EADC47AE5EF6CE0408B04
                                                                                                                            Function 00007FF69D401558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D401604: GetModuleHandleW.KERNEL32(?,?,?,00007FF69D401573,?,?,?,00007FF69D40192A), ref: 00007FF69D40162B
                                                                                                                            • DloadProtectSection.DELAYIMP ref: 00007FF69D4015C9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DloadHandleModuleProtectSection
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2883838935-0
                                                                                                                            • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                            • Instruction ID: 3104107da35ded81230dfb7383d33a68699e6129439943f8e83ad32aa42d253f
                                                                                                                            • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                            • Instruction Fuzzy Hash: 5C11C961E0861781FB719B09EA41374A3A0EF29F88F6404B5C9CDCB2A1FF3CA4958702
                                                                                                                            Function 00007FF69D3E3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3E40BC: FindFirstFileW.KERNELBASE ref: 00007FF69D3E410B
                                                                                                                              • Part of subcall function 00007FF69D3E40BC: FindFirstFileW.KERNELBASE ref: 00007FF69D3E415E
                                                                                                                              • Part of subcall function 00007FF69D3E40BC: GetLastError.KERNEL32 ref: 00007FF69D3E41AF
                                                                                                                            • FindClose.KERNELBASE(?,?,00000000,00007FF69D3F0811), ref: 00007FF69D3E3EFD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1464966427-0
                                                                                                                            • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                            • Instruction ID: 2de9a377e5bfd90ce91cde8b85009f92ab98e9ebccfcf52ee1b746da5df68d31
                                                                                                                            • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                            • Instruction Fuzzy Hash: 98F0F46250C24182DA309BB0A000178B760DF1BBB6F1413BCEABD472C7DE28D8458760
                                                                                                                            Function 00007FF69D3E273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 749574446-0
                                                                                                                            • Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                            • Instruction ID: eaac667b7c70e3f4d2de05a2c31435eab41e701c02ca77a27d5789edf1976d9f
                                                                                                                            • Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                            • Instruction Fuzzy Hash: 25E0CD15B1092582EF309B37CC415345320EF4DF86B441070CE4C47361DF28C8918700
                                                                                                                            Function 00007FF69D3E2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3081899298-0
                                                                                                                            • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                            • Instruction ID: b02facd9f84364dab8313b45d6f7dc54c44aedfb0d156f1d6951a6d58e300ecf
                                                                                                                            • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                            • Instruction Fuzzy Hash: 2CD01216D0944193DD209736985203C6350EF93736FA407B0D6BEC16E1DE1D9996A721
                                                                                                                            Function 00007FF69D3E7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1611563598-0
                                                                                                                            • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                            • Instruction ID: 7ddc5b74dfcc648dca4e354fa92477bc9fc9f03704e1e9906bf7e9530e66bcff
                                                                                                                            • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                            • Instruction Fuzzy Hash: 30C08C21F05503C2DA185B26C8C912813A4FB50F05B628078C24CC1160EE2CC9FA9386
                                                                                                                            Function 00007FF69D40FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4292702814-0
                                                                                                                            • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                            • Instruction ID: 50782547e04357c95b086cec922d1da61a99fe953ec894312d3914f1d81981c6
                                                                                                                            • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                            • Instruction Fuzzy Hash: 2FF04454B0A2078AFF746AA6D9112B55290DFA8FC0F0C54B0CA8ECA7C2FE2CA6814710
                                                                                                                            Function 00007FF69D3E20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                            • Instruction ID: 72f1ffa0636753c5cbf90586b722cea55069f4e88a1f5a4dbf6f3eadf278358a
                                                                                                                            • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                            • Instruction Fuzzy Hash: A7F02822A0828286FB308F32E040379A760EB11BB9F090378D7BCC11C4EF28CD95C310
                                                                                                                            Function 00007FF69D40D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4292702814-0
                                                                                                                            • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                            • Instruction ID: da36f870fc701546103d71ed63983ccef191497968bbc42494b98f26250a1b04
                                                                                                                            • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                            • Instruction Fuzzy Hash: EFF05810B1920785FF346AB59C003B56290DFA8FE0F081AB0D9EEC6AC5FF2CA4888311

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00007FF69D3DC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                            • API String ID: 2659423929-3508440684
                                                                                                                            • Opcode ID: 9095b8b635ee1b3724f71a8dbbb9d265ce2413fd6cef4979d292408be238607f
                                                                                                                            • Instruction ID: 74e63f4c52f09aa959cf7661ad17ddef3f2cb8b2d38759435ba962cfedae84e1
                                                                                                                            • Opcode Fuzzy Hash: 9095b8b635ee1b3724f71a8dbbb9d265ce2413fd6cef4979d292408be238607f
                                                                                                                            • Instruction Fuzzy Hash: 39620362F1864285FB20DB74D4442BD6321EF9A7A4F50037ADAAC97ADAEF3CD594C700
                                                                                                                            Function 00007FF69D3EF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                            • String ID: %ls$%s: %s
                                                                                                                            • API String ID: 2539828978-2259941744
                                                                                                                            • Opcode ID: e7d763cba1748636a717d840b470af6b857e75bfec91eb158d0f18c102781128
                                                                                                                            • Instruction ID: 83f8d3a2f20e74a5221b7086083e11d031ccff2a00c899f4b405fd7aacb51ec4
                                                                                                                            • Opcode Fuzzy Hash: e7d763cba1748636a717d840b470af6b857e75bfec91eb158d0f18c102781128
                                                                                                                            • Instruction Fuzzy Hash: 7EB2B862A1868642FA309B29D5542BEE311EFDB7D1F10427AE6DD83AD6FF6CD540C700
                                                                                                                            Function 00007FF69D412550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                            • API String ID: 1759834784-2761157908
                                                                                                                            • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                            • Instruction ID: ac5dafe7d265ca503a4ff1eb78709571bccece16e8c6d3c4c1f095afe2c7cc61
                                                                                                                            • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                            • Instruction Fuzzy Hash: CBB20772E081928BE7358E69D4847FD37A1FB64B8CF505175DA8AD7B88EF38E5148B00
                                                                                                                            Function 00007FF69D3E1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                                                            • String ID: rtmp
                                                                                                                            • API String ID: 3587137053-870060881
                                                                                                                            • Opcode ID: 2341efcc7fcbb30919df1b5b6aa7beaee36c88bcec08f5efedab06e44b30226f
                                                                                                                            • Instruction ID: 99b055a5962217022a6173ba59be6f9d3752252971aedfed58e7c03c88f292e5
                                                                                                                            • Opcode Fuzzy Hash: 2341efcc7fcbb30919df1b5b6aa7beaee36c88bcec08f5efedab06e44b30226f
                                                                                                                            • Instruction Fuzzy Hash: 7FF1E923B08A4292EB20CB65D4401FDA761FB967C5F50117AEA8DC3AE9EF3CD985C740
                                                                                                                            Function 00007FF69D3E5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1693479884-0
                                                                                                                            • Opcode ID: 42882c5e1b64cf364603feffb0a4dffa6fd5e54fa856c7804417c031547eb997
                                                                                                                            • Instruction ID: bc4c822c3db74f4d8ab782d542f21de9df6b946380518c16b179e111b49dcb25
                                                                                                                            • Opcode Fuzzy Hash: 42882c5e1b64cf364603feffb0a4dffa6fd5e54fa856c7804417c031547eb997
                                                                                                                            • Instruction Fuzzy Hash: 23A1D362F14A5285FF20CB79C8441BC6321EBA6BE5B145279DEAD97FC9EE3CE4418310
                                                                                                                            Function 00007FF69D403170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3140674995-0
                                                                                                                            • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                            • Instruction ID: 3c52330ab3ea1bff0f8b3f248245df66d4159e3c5dc78cdc12bc16e426c02b93
                                                                                                                            • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                            • Instruction Fuzzy Hash: 08318372608B819AEB708FA0E8543ED7360FB94B44F44403ADA8D97B88EF3CD558CB00
                                                                                                                            Function 00007FF69D4076D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1239891234-0
                                                                                                                            • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                            • Instruction ID: 0d1fc6d6170e8ae71de75319cded664debd76580028c834395943291ccbe6920
                                                                                                                            • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                            • Instruction Fuzzy Hash: 91318036608B8196EB70CF25E8402AE73A4FB98B94F540175EADD83B99EF3CD555CB00
                                                                                                                            Function 00007FF69D3D1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3668304517-0
                                                                                                                            • Opcode ID: 4371503ef7e5f4ac43d009b8773bf3bc40d465197e056dd3daed0b291f5dc5b5
                                                                                                                            • Instruction ID: aaab09d0472af241b5d081d1abaf071ca0ff250d8f0654c210a65d0b9e906c51
                                                                                                                            • Opcode Fuzzy Hash: 4371503ef7e5f4ac43d009b8773bf3bc40d465197e056dd3daed0b291f5dc5b5
                                                                                                                            • Instruction Fuzzy Hash: F5B1D162B1568686EB209B65D8402FDA361FF96BD4F40527AEA8C87BD9FF3CD540C700
                                                                                                                            Function 00007FF69D40FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF69D40FAC4
                                                                                                                              • Part of subcall function 00007FF69D407934: GetCurrentProcess.KERNEL32(00007FF69D410CCD), ref: 00007FF69D407961
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                            • String ID: *?$.
                                                                                                                            • API String ID: 2518042432-3972193922
                                                                                                                            • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                            • Instruction ID: 98c2028b38276de7305c21c4f39e7bf36f92d7e8e3184f5ad0ae1f71f55dfd12
                                                                                                                            • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                            • Instruction Fuzzy Hash: 27511262B18B9585EF20DFA2D8014B867A4FB68FD8B444571DE9D87B89FF3CD0428700
                                                                                                                            Function 00007FF69D412080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy_s
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1502251526-0
                                                                                                                            • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                            • Instruction ID: 0cc138f5cc0c3853ee50c1474961b6955924d1a01c3841ee4d45e7c31c53fd8b
                                                                                                                            • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                            • Instruction Fuzzy Hash: 14D1A332B1868687DB74CF15E18566AB791F7A8B88F548134DB8ED7B44EF3CE8518B00
                                                                                                                            Function 00007FF69D3DB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1365068426-0
                                                                                                                            • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                            • Instruction ID: 0acb6083d56b3de92c72789a294df736ac29a72da40dc27ea99538d13b75c109
                                                                                                                            • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                            • Instruction Fuzzy Hash: 4A014F7560C74682E7208F22B85017AA7A1FF9ABC5F084079EACD87B45EF3CD5148B01
                                                                                                                            Function 00007FF69D40FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: .
                                                                                                                            • API String ID: 0-248832578
                                                                                                                            • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                            • Instruction ID: f1e05ee92131eb28b796aa93723ac798aa2915d2e31f4659fbc10aa0d72264f6
                                                                                                                            • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                            • Instruction Fuzzy Hash: 31310922B0869145F7309A36E8057B97A91FBA4FE4F148275EFAC87BC6EE3CD5018700
                                                                                                                            Function 00007FF69D415AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 15204871-0
                                                                                                                            • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                            • Instruction ID: 8b2aabe931fff013015283fc222e4bb85dd098f66afdc08a3f7ba02f1eb4884a
                                                                                                                            • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                            • Instruction Fuzzy Hash: 9FB13A73604B898AEB25CF29C8463A87BB0F754F48F158971DAAD877A4DF39D461CB00
                                                                                                                            Function 00007FF69D3F8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectRelease$CapsDevice
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1061551593-0
                                                                                                                            • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                            • Instruction ID: 69d9d79a94b5395fc26650c9601526ef3d0ece268ea46a028c9d6f6b2a2d48f6
                                                                                                                            • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                            • Instruction Fuzzy Hash: 9B814976B08A0A86EB24CF6AE4406AD7771FB98F88F004176DE8D97B64EF38D545C740
                                                                                                                            Function 00007FF69D3FA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FormatInfoLocaleNumber
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2169056816-0
                                                                                                                            • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                            • Instruction ID: 33b515bd8ac0fb074e6df27a6129ee2c6b7edd9afa358139b53dc80726dbf7fa
                                                                                                                            • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                            • Instruction Fuzzy Hash: 8C115C32A18B8595E7718F21E8003E9B360FF88B88F844175DA8D83A58EF3CE55AC744
                                                                                                                            Function 00007FF69D3E126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3E24C0: CreateFileW.KERNELBASE ref: 00007FF69D3E259B
                                                                                                                              • Part of subcall function 00007FF69D3E24C0: GetLastError.KERNEL32 ref: 00007FF69D3E25AE
                                                                                                                              • Part of subcall function 00007FF69D3E24C0: CreateFileW.KERNEL32 ref: 00007FF69D3E260E
                                                                                                                              • Part of subcall function 00007FF69D3E24C0: GetLastError.KERNEL32 ref: 00007FF69D3E2617
                                                                                                                            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF69D3E15D0
                                                                                                                              • Part of subcall function 00007FF69D3E3980: MoveFileW.KERNEL32 ref: 00007FF69D3E39BD
                                                                                                                              • Part of subcall function 00007FF69D3E3980: MoveFileW.KERNEL32 ref: 00007FF69D3E3A34
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 34527147-0
                                                                                                                            • Opcode ID: e551f5cd72cc32021c0545c09a5d852fa8adbb9b535e4bd48ae0dc113e77b3ec
                                                                                                                            • Instruction ID: bbc372491010c46930a4e4030099abe05af185a044ab0465b6d058031ef96c28
                                                                                                                            • Opcode Fuzzy Hash: e551f5cd72cc32021c0545c09a5d852fa8adbb9b535e4bd48ae0dc113e77b3ec
                                                                                                                            • Instruction Fuzzy Hash: 7D91F122B18A4682EB20DB62D4442BEA360FB56BC5F40007AEE8D97BD5EF3CD945C750
                                                                                                                            Function 00007FF69D3E4EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Version
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1889659487-0
                                                                                                                            • Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                            • Instruction ID: c211561997db6aecd23bef3348ac7fa3a08c4302f070374f1abad60e50800f30
                                                                                                                            • Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                            • Instruction Fuzzy Hash: 5B01847294D58286FA318B20A5143B9E790DFAAB06F4402F8C5DC872D1FE3CE44A8B24
                                                                                                                            Function 00007FF69D408C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                            • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                            • Instruction ID: a3ab18743b16bc6376fad6a272408b15e00ef8cfa7511ba21375d7cc8d555e7d
                                                                                                                            • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                            • Instruction Fuzzy Hash: 5281E621A1A28246FBB8AA25C24067D23A0EF70FC4F1417B1DDC9C7695EF3DE845D782
                                                                                                                            Function 00007FF69D4089A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                            • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                            • Instruction ID: f150e04ed43e28e9fa23bbe13646710ea9f6ce4550cf1cb1b993c482a2d8c4c6
                                                                                                                            • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                            • Instruction Fuzzy Hash: 54711A21A0D64247FB74AA25C24027D23A0DF61FC4F1815B1DDC9C7BD6EE2DE8469B53
                                                                                                                            Function 00007FF69D3EC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: gj
                                                                                                                            • API String ID: 0-4203073231
                                                                                                                            • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                            • Instruction ID: 993387a8cc493e9ef85871edc87b3813e221803c1f7d1be3ac679b90ddcb8aad
                                                                                                                            • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                            • Instruction Fuzzy Hash: E15191377286908BD764CF25E4009AEB3A5F388798F445126EF8A93B09DB3DE945CF40
                                                                                                                            Function 00007FF69D40C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 0-2766056989
                                                                                                                            • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                            • Instruction ID: 2da37d4c971c51c31b0d2c6721f972f94597dc88f57adea5d0aec9d437a7a025
                                                                                                                            • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                            • Instruction Fuzzy Hash: 5B41BB22714A44C6EB18CF2AE9142A973A1E768FD4B499136DF9DC7798EE3CD046C300
                                                                                                                            Function 00007FF69D410D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 54951025-0
                                                                                                                            • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                            • Instruction ID: 1f16471de8e950ae634e493bb1f41580ec5c1c993364c3698cc0254f8a8430c2
                                                                                                                            • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                            • Instruction Fuzzy Hash: E1B09230E17A06D2EE182F556E8225462A4FF58B00F9880B8C58C81320EE2D20B54701
                                                                                                                            Function 00007FF69D3F3964 Relevance: .9, Instructions: 931COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                            • Instruction ID: 5a94bc728721916ccaae6e7baf3d29d78f281432c82159267d65415feeb50ea7
                                                                                                                            • Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                            • Instruction Fuzzy Hash: BB8236B3A096C586EB24CF6DD4042FCBB61E752B89F09817ACA8E87395EE3CD445D310
                                                                                                                            Function 00007FF69D3D76C0 Relevance: .9, Instructions: 893COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                            • Instruction ID: e49ae841dce36eda0a389cf0ae0dec5f576d92ff7c3dab2b2195ab99ac91dd82
                                                                                                                            • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                            • Instruction Fuzzy Hash: D4628D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                                                            Function 00007FF69D3F53F0 Relevance: .9, Instructions: 891COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                            • Instruction ID: 953f4c4d59ae63560f4efba8e262fa5530760aa030c809d692d04f40ec8e41c0
                                                                                                                            • Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                            • Instruction Fuzzy Hash: DA821473A096C58AE724CF28D4446FCBB61F766B49F08817ACA8D87B85EE3CD845D710
                                                                                                                            Function 00007FF69D3EBB90 Relevance: .6, Instructions: 587COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                            • Instruction ID: 898dc7c9a916e8a1ac2defce2679c89e4af43640178a1c072e71f72c60e7a7de
                                                                                                                            • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                            • Instruction Fuzzy Hash: 5C22F473B206508BD728CF25C89AE5E3766F799744B4B8228DF4ACB789DB38D505CB40
                                                                                                                            Function 00007FF69D3F4B98 Relevance: .6, Instructions: 578COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                            • Instruction ID: a8b3480c75aacb8ff4fdd10a1595095ea968612d5aad6b32e32c6aa0d8c06861
                                                                                                                            • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                            • Instruction Fuzzy Hash: 0432E172A042858BE72CCF29D550ABC77A1F765B49F05813DDA8A87B89EF3CE850D740
                                                                                                                            Function 00007FF69D3D7288 Relevance: .3, Instructions: 294COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                            • Instruction ID: b4abddd186baebdf47c5391d4f5b6f05d01ec255336f6c9452e75a94e9b45cbd
                                                                                                                            • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                            • Instruction Fuzzy Hash: F7C19DB7B281908FE360CF7AD400A9D3BB1F39878CB515125EF59A7B09D639E645CB40
                                                                                                                            Function 00007FF69D3F2D58 Relevance: .3, Instructions: 268COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                            • Instruction ID: 95f991dba02edd15a200c78d2f747b19869cf3905f333fe89aeea3d6f13a35f6
                                                                                                                            • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                            • Instruction Fuzzy Hash: 8CA15973A0818A82F735CA29D4047FDA781EBA6745F954179DACEC7786EE3CE841E310
                                                                                                                            Function 00007FF69D3EAF18 Relevance: .2, Instructions: 244COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                            • Instruction ID: 222c84474506f035eba018f499ccda411b49bf1783fa5ba7b9e8d1c1a3022bb8
                                                                                                                            • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                            • Instruction Fuzzy Hash: E1C10673A292E04DE302CBB5A4248FD3FF1E71E34DB4A4155EFE666B4AD6285201DF60
                                                                                                                            Function 00007FF69D3DA310 Relevance: .2, Instructions: 230COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 190572456-0
                                                                                                                            • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                            • Instruction ID: d4322c77b7320304d28886462589d1d602b5799cc81eb18ce50255e3e69339c3
                                                                                                                            • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                            • Instruction Fuzzy Hash: 8C913563B1858196EB21CF29D4512FDA721FFA6B88F441135EF8E97789EE38D606C700
                                                                                                                            Function 00007FF69D3EB534 Relevance: .2, Instructions: 181COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                            • Instruction ID: 309fdd8a4a070aa65b15a005f761a099584bbcc9c8b2a2d70a8bfbc09f80988a
                                                                                                                            • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                            • Instruction Fuzzy Hash: 09611822B181D54AEB22CF7585004FDBFA1EB1A785B4540B6CFDD97686EE3CE905CB20
                                                                                                                            Function 00007FF69D3F21D0 Relevance: .1, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                            • Instruction ID: 09e1f5a23e706ce1946d79cfb141431162b1c974bd0cb73595c8ba7c3d581a01
                                                                                                                            • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                            • Instruction Fuzzy Hash: EE5121B3B181558BF3688F29D008BAD7751F790B89F844139DB89CB688EE3DE941DB00
                                                                                                                            Function 00007FF69D3F2AB0 Relevance: .1, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                            • Instruction ID: 7c8a838f2a61fe8765f23e2ceb18871595957802da008f270d01912d5aa038dd
                                                                                                                            • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                            • Instruction Fuzzy Hash: BD31E3B2A085858BE728CE5AD55027EBB90F746381F44813DDF8AC7B82EE7CE451DB10
                                                                                                                            Function 00007FF69D3EDC70 Relevance: .0, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                            • Instruction ID: 02a9a2c90a81b903cb0f577b6ef5340c25fddbd792e5eba5a89b09b5130ff3a3
                                                                                                                            • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                            • Instruction Fuzzy Hash: F7F0DA61F5C00383FB78002868193399056DB13392F6448BDD29FC62C9FDADACC13129
                                                                                                                            Function 00007FF69D403354 Relevance: .0, Instructions: 2COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                            • Instruction ID: c0d0ad4f897a392d299ec13033773c0571071cb21fd659f2956cc8dd74c177d8
                                                                                                                            • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                            • Instruction Fuzzy Hash: 0EA0026190CC46E0E7788B50E8A44707734FBB0B40B5400B1F08DD11B4FF3DA411C705
                                                                                                                            Function 00007FF69D3DD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                                                            • API String ID: 3668304517-727060406
                                                                                                                            • Opcode ID: 2f19ab4c30c8eac6d144c901c4549240b956f6a692c877d1095a563e450749ff
                                                                                                                            • Instruction ID: d343f134e6dc86a6f564e72cc075da7b84a7857c3effa95643425ae96342ae09
                                                                                                                            • Opcode Fuzzy Hash: 2f19ab4c30c8eac6d144c901c4549240b956f6a692c877d1095a563e450749ff
                                                                                                                            • Instruction Fuzzy Hash: C841EA76B05F01A9EB208F64E4803E933B5EB59B98F400276DA8C87B59FF38D165C780
                                                                                                                            Function 00007FF69D402A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                            • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                            • API String ID: 2565136772-3242537097
                                                                                                                            • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                            • Instruction ID: 572e0b0169939d852eda62a5b6d2104b6b9cc4f9d8a3a19541f2c622d1fa5800
                                                                                                                            • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                            • Instruction Fuzzy Hash: 6B213C61E09A07A6FF759B64E99417863A0EF68FD0F8400B5D9CEC26A1FF3CA4658701
                                                                                                                            Function 00007FF69D3E6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                            • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                                                            • API String ID: 4097890229-4048004291
                                                                                                                            • Opcode ID: 84a8d5924325d9694cefe69853777e32b6ff0efedf48cba38b0c2889e3b1290b
                                                                                                                            • Instruction ID: 42935dd547759755fc4a4d6b90a56b75524fa7c10da28b0059f8a4d951881bd2
                                                                                                                            • Opcode Fuzzy Hash: 84a8d5924325d9694cefe69853777e32b6ff0efedf48cba38b0c2889e3b1290b
                                                                                                                            • Instruction Fuzzy Hash: 7C12F562B08B4282EB20DB65D4441BDA371EB82BC8F50467ADB9D87BD9EF3CD945C350
                                                                                                                            Function 00007FF69D3FA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                                                            • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                            • API String ID: 431506467-1315819833
                                                                                                                            • Opcode ID: cbdb2342dbc27246140afa92192789482b4dc38f3de2603255fba98438e470aa
                                                                                                                            • Instruction ID: 6ff12d948fa1ff1c808d915e3c0b5c7b7b69ab5cbc984e5654db694c01cb9c86
                                                                                                                            • Opcode Fuzzy Hash: cbdb2342dbc27246140afa92192789482b4dc38f3de2603255fba98438e470aa
                                                                                                                            • Instruction Fuzzy Hash: 0CB1B362F1974685FB208BA8D4842BC6372EF46798F404279DE9C66AD9FF3CE459C340
                                                                                                                            Function 00007FF69D3F6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                                                            • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                            • API String ID: 2868844859-1533471033
                                                                                                                            • Opcode ID: d8862c3025e57af8a5778f9936a91020890481e3bad1d2e12bbb9941efaf755e
                                                                                                                            • Instruction ID: 9299a031bb3b4d8f0bc49a76539a893d1a9b8c7a21977f8126a7754e453bb7d7
                                                                                                                            • Opcode Fuzzy Hash: d8862c3025e57af8a5778f9936a91020890481e3bad1d2e12bbb9941efaf755e
                                                                                                                            • Instruction Fuzzy Hash: E281CE62F18A0695FB20DBA9D4402EC7371EF55BC8F40417ACE9D9769AFE38D51AC300
                                                                                                                            Function 00007FF69D40E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                            • API String ID: 3215553584-2617248754
                                                                                                                            • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                            • Instruction ID: afc84d3f92d7d4313a4bd85837126b976689f39af3ffe1517a6857a0ed7f3ec3
                                                                                                                            • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                            • Instruction Fuzzy Hash: F441C072A19B4589FB20CF25E8817ED33A4EB24B98F444576EE9C87B58EE3CD025C344
                                                                                                                            Function 00007FF69D3FF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                                                            • String ID: STATIC
                                                                                                                            • API String ID: 2845197485-1882779555
                                                                                                                            • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                            • Instruction ID: 3cbf50877e9821d30c7cdc8a3f29eadb67bc56cf2d8759a98efff95acff3d07b
                                                                                                                            • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                            • Instruction Fuzzy Hash: C731B221B0D64682FA74DB1AA6547B9A3A1FF8AFC1F000174DE8D87B55FE3CE40A8740
                                                                                                                            Function 00007FF69D3FAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemTextWindow
                                                                                                                            • String ID: LICENSEDLG
                                                                                                                            • API String ID: 2478532303-2177901306
                                                                                                                            • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                            • Instruction ID: 446afdbf06d88b41a10c4a44be14b16b0c9312f95fd438bd93e2ecb8145bed43
                                                                                                                            • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                            • Instruction Fuzzy Hash: BA41E125A1874682FB348B19E9007B9A361EF85F85F0401B9DE8E87B94EF3CE5469300
                                                                                                                            Function 00007FF69D3EB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                            • API String ID: 2915667086-2207617598
                                                                                                                            • Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                                                            • Instruction ID: d7d0762341bf5880a25d92226aaa66c64d293a29a5e9fd1c12ff22f252bfb894
                                                                                                                            • Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                                                            • Instruction Fuzzy Hash: A8319E24E09B0681FE759B16AA50179A3A0EF5AF95F0401B9CDDEC33E4FE3CE8918310
                                                                                                                            Function 00007FF69D3F87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: $
                                                                                                                            • API String ID: 3668304517-227171996
                                                                                                                            • Opcode ID: 985a00139ea5e3bf963bc6a93751df8f54edf16f97884becaab5ae420eb3c386
                                                                                                                            • Instruction ID: ef49e0fa1e9ebfc10c28dde65adb2abc0a8e70b25d4310c6edb0732e627585c1
                                                                                                                            • Opcode Fuzzy Hash: 985a00139ea5e3bf963bc6a93751df8f54edf16f97884becaab5ae420eb3c386
                                                                                                                            • Instruction Fuzzy Hash: 25F1F1A2F1574A40FF288B68D2841BCA322EF56B99F405779DA9D937D5EF7CD0808340
                                                                                                                            Function 00007FF69D4057EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                            • String ID: csm$csm$csm
                                                                                                                            • API String ID: 2940173790-393685449
                                                                                                                            • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                            • Instruction ID: 1e1c570f45af0184dafca2326b1d068e95e929cfba75e7039c6238c4d9208a43
                                                                                                                            • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                            • Instruction Fuzzy Hash: F0E19E72A087828AE7309F65D4803AD7BA0FB65B98F144175DECD87696EF38E485CB40
                                                                                                                            Function 00007FF69D3E4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocClearStringVariant
                                                                                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                            • API String ID: 1959693985-3505469590
                                                                                                                            • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                            • Instruction ID: 3d894c6df2eda95ae603357a7b4b3d6861a0ae6998746a20ffafb88a55336682
                                                                                                                            • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                            • Instruction Fuzzy Hash: 44714D76A14B0596EB20CF25E8805AD77B0FB99B98F045176EE8E83BA4EF3CD554C310
                                                                                                                            Function 00007FF69D4072EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF69D4074F3,?,?,?,00007FF69D40525E,?,?,?,00007FF69D405219), ref: 00007FF69D407371
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00007FF69D4074F3,?,?,?,00007FF69D40525E,?,?,?,00007FF69D405219), ref: 00007FF69D40737F
                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF69D4074F3,?,?,?,00007FF69D40525E,?,?,?,00007FF69D405219), ref: 00007FF69D4073A9
                                                                                                                            • FreeLibrary.KERNEL32(?,?,00000000,00007FF69D4074F3,?,?,?,00007FF69D40525E,?,?,?,00007FF69D405219), ref: 00007FF69D4073EF
                                                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00007FF69D4074F3,?,?,?,00007FF69D40525E,?,?,?,00007FF69D405219), ref: 00007FF69D4073FB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                            • String ID: api-ms-
                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                            • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                            • Instruction ID: 992e7f1bb318f02f11546230425599e9c0f6b4f9070d058937482632e3c2ac2a
                                                                                                                            • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                            • Instruction Fuzzy Hash: A731DE25A1A642A1FF31AB06E8006792298FF68FE0F294575DD9D9B380FF3CE460C711
                                                                                                                            Function 00007FF69D401604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(?,?,?,00007FF69D401573,?,?,?,00007FF69D40192A), ref: 00007FF69D40162B
                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF69D401573,?,?,?,00007FF69D40192A), ref: 00007FF69D401648
                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF69D401573,?,?,?,00007FF69D40192A), ref: 00007FF69D401664
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                            • API String ID: 667068680-1718035505
                                                                                                                            • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                            • Instruction ID: dd0136ad419d96b92a0ae8c6754c5f7d01e1e54cb149ff056d1716880ca463a9
                                                                                                                            • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                            • Instruction Fuzzy Hash: 26110921A1AB0392FE758B04EA402746295EF2AFD4F4C58B5C8DDC6390FE7CA4958701
                                                                                                                            Function 00007FF69D3EED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF69D3E51A4: GetVersionExW.KERNEL32 ref: 00007FF69D3E51D5
                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EED8C
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EED98
                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EEDA8
                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EEDB6
                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EEDC4
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF69D3D5AB4), ref: 00007FF69D3EEE05
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2092733347-0
                                                                                                                            • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                            • Instruction ID: 8d704436f661bff155bef42bbcc770bcd6e6ba94bfa7efc58d6d65383e87b1d4
                                                                                                                            • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                            • Instruction Fuzzy Hash: C7515AB2B106518BEB24CFA9D4401BC77B1F748B89B64403ADE4DA7B58EF38E956C740
                                                                                                                            Function 00007FF69D3EF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2092733347-0
                                                                                                                            • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                            • Instruction ID: 00a392818e7c5df9512e1e461e2338251ed399263bcdd82419153df7af056e7b
                                                                                                                            • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                            • Instruction Fuzzy Hash: BE314662B10A519AEB10CFB5E8801BC3370FB18B58B54503AEE4EA7A58EF38D895C311
                                                                                                                            Function 00007FF69D3E7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: .rar$exe$rar$sfx
                                                                                                                            • API String ID: 3668304517-630704357
                                                                                                                            • Opcode ID: 93dbb7d74f849ef92666457f8e9f641f008dc657da5001eee78cfd1c0618c12a
                                                                                                                            • Instruction ID: 2dc2261a5d0c68e7ccec8d1acfdbb57482eac7f88b70f406672d7b0a04b69935
                                                                                                                            • Opcode Fuzzy Hash: 93dbb7d74f849ef92666457f8e9f641f008dc657da5001eee78cfd1c0618c12a
                                                                                                                            • Instruction Fuzzy Hash: ADA11566A04A0691EB209F25D4482BC6361FF52FD9F000279CD9D877EAEF3CE991C350
                                                                                                                            Function 00007FF69D405CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                                                                            • String ID: MOC$RCC
                                                                                                                            • API String ID: 2889003569-2084237596
                                                                                                                            • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                            • Instruction ID: d5f371e49e65b469de17cb4bafc706f5487f82e0e99ad271322ed458d49bb1ea
                                                                                                                            • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                            • Instruction Fuzzy Hash: B691B173A08B818AE720CF64E4402AD77A0FB64B88F10413AEF8D97B55EF38D195CB40
                                                                                                                            Function 00007FF69D404F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                            • String ID: csm$f
                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                            • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                            • Instruction ID: 72bd738f8419a9a481975cafb8604c76fd11a5fc6736064ce66b6efc016b5bb4
                                                                                                                            • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                            • Instruction Fuzzy Hash: DB519032F196028AEB24DF15E444A2D3795FB74FC8F5080B4DA9A8B748EF79E841C740
                                                                                                                            Function 00007FF69D3DCEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                            • API String ID: 2102711378-639343689
                                                                                                                            • Opcode ID: 4ad8962ae40659baaf1511d456c0931157e13c4a94880edc0a22eb1ae19da66a
                                                                                                                            • Instruction ID: 81bcf5b7d4dac2a6bbe5beb8065e9a73b759a1c9740ea53fc245d3695fb54983
                                                                                                                            • Opcode Fuzzy Hash: 4ad8962ae40659baaf1511d456c0931157e13c4a94880edc0a22eb1ae19da66a
                                                                                                                            • Instruction Fuzzy Hash: 3251E162F1874255FB20DB65E8402BD6370EF96BA4F0002BADE9D976D6FE3CA485C700
                                                                                                                            Function 00007FF69D3F7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Show$Rect
                                                                                                                            • String ID: RarHtmlClassName
                                                                                                                            • API String ID: 2396740005-1658105358
                                                                                                                            • Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                            • Instruction ID: 057f3d76816eda1389dc3c05f53bc01f1185443d2c0ea6d07ef3114df1754b45
                                                                                                                            • Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                            • Instruction Fuzzy Hash: 84519266A0974686FB349B29E44437AF3A1FB86B81F004579DECE83B54EF3CE4458B00
                                                                                                                            Function 00007FF69D3FFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                            • API String ID: 0-56093855
                                                                                                                            • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                            • Instruction ID: 6e438c0c3f8e6dd06698ea358e62a8c6f62c29f51b7071c25783359b8626d4dd
                                                                                                                            • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                            • Instruction Fuzzy Hash: 0421EA25909B8B91FA308B1DFA44174A7A0EF4AB85F5401BAD9CDC7760FE3CE599A340
                                                                                                                            Function 00007FF69D40BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                            • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                            • Instruction ID: e784810d6ac2ceec79171c27c2f7471b7ea36a0900010c4d7ff9da3258d50e1c
                                                                                                                            • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                            • Instruction Fuzzy Hash: 8EF04932A19A4291EF648B51E88037963A0EF98FD4F585075E98F86664EE3CE494C700
                                                                                                                            Function 00007FF69D4145C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3215553584-0
                                                                                                                            • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                            • Instruction ID: ebfc0bcece64bc2da0011078ca38cbe98b91cef9418cd582ddf0a47e858efbce
                                                                                                                            • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                            • Instruction Fuzzy Hash: 1B81F222F1860249FB309B65C8406BC66A0FB66F88F0542B5CD8ED3B95EF3CE465C350
                                                                                                                            Function 00007FF69D3E3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2398171386-0
                                                                                                                            • Opcode ID: 17320c454256f84c89c128413afbc75715dbbb8153169455d04b9857d2005e77
                                                                                                                            • Instruction ID: 46a5d9d1ad1a24743c6ddafb7d0d5dde2830abafb9889df57c52afa22fa49f6b
                                                                                                                            • Opcode Fuzzy Hash: 17320c454256f84c89c128413afbc75715dbbb8153169455d04b9857d2005e77
                                                                                                                            • Instruction Fuzzy Hash: 0051D322B04A425AFB70CBB5E4403BDA371EB45BAAF004679DE9D867D8FE389815C310
                                                                                                                            Function 00007FF69D413F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3659116390-0
                                                                                                                            • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                            • Instruction ID: ad44455e4fa1bf2959983983213dae509fffc75fd56a2a47e2c892938dc52d12
                                                                                                                            • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                            • Instruction Fuzzy Hash: CC51D072A14A5289E720CB75E8443AC3BB1FB65F98F048135CE8E97B99EF38D156C740
                                                                                                                            Function 00007FF69D401E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 262959230-0
                                                                                                                            • Opcode ID: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
                                                                                                                            • Instruction ID: 2740f608b13091c755f49fb3295ebb0d16e181569b25e5a19527c081e5670524
                                                                                                                            • Opcode Fuzzy Hash: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
                                                                                                                            • Instruction Fuzzy Hash: E941B131A096468AEB249F71D4403B92291FF29FE4F184674EAADC77D6EF3CE1518340
                                                                                                                            Function 00007FF69D40F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 190572456-0
                                                                                                                            • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                            • Instruction ID: b0f2c413c8d7424526d04bb8426bbcbb3edc3d23758ed0dd3bd07f07e1443d1c
                                                                                                                            • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                            • Instruction Fuzzy Hash: 8B41BF62B1DA4291FB258B22E9006756295FF68FE4F094575DEADCBB88FE3CE4418300
                                                                                                                            Function 00007FF69D4156D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _set_statfp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1156100317-0
                                                                                                                            • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                            • Instruction ID: 4037ce19769a623451568c716abbeac33f978a51c7202d2f2d0430efabb526dd
                                                                                                                            • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                            • Instruction Fuzzy Hash: 9411BF36E1CB0781FA742264E5473F90171EF75BA0E4843B0EAFE8A6D6FE6CA4604305
                                                                                                                            Function 00007FF69D3FFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3621893840-0
                                                                                                                            • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                            • Instruction ID: cb2d3715828ae3d8134555a5a2faa1a041529131542d98be76f23cf0dc6ae859
                                                                                                                            • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                            • Instruction Fuzzy Hash: 51F06222F3844682FB308724E494B76B311FFE4B05F481170E98EC1894EE3CD149C700
                                                                                                                            Function 00007FF69D40625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __except_validate_context_recordabort
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 746414643-3733052814
                                                                                                                            • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                            • Instruction ID: 6e82aa9b1d93d145975f5a2eb39458fbe0ef123242b1b58acb97e95fdfc768a2
                                                                                                                            • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                            • Instruction Fuzzy Hash: 6C71BE726086918ADB708F25D05037DBBA0EB25FD8F048176DE8E9BA89EF3CD494C744
                                                                                                                            Function 00007FF69D4080F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID: $*
                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                            • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                            • Instruction ID: 65103cd4958138412168bacb81e55cdb248ea593b24b6f0abedef562398973a4
                                                                                                                            • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                            • Instruction Fuzzy Hash: 3C51687290EA428AE774AF28C64437C3BA1FF25F98F1411B9C6C985299EF3CD481D706
                                                                                                                            Function 00007FF69D411758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$StringType
                                                                                                                            • String ID: $%s
                                                                                                                            • API String ID: 3586891840-3791308623
                                                                                                                            • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                            • Instruction ID: 0ca3553e244d25266bf42d531ba1deacc05d6d372d6964c44751c9a781c6c93d
                                                                                                                            • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                            • Instruction Fuzzy Hash: C0418022B15B818AEB718F25D8006B96291FB64FE8F484675DE9D87BC5EF3CE4558300
                                                                                                                            Function 00007FF69D4066A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 2466640111-1018135373
                                                                                                                            • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                            • Instruction ID: e2d8848273640096985e39e8fe249ae1caeed177a50a05cd040d0297c1119687
                                                                                                                            • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                            • Instruction Fuzzy Hash: 08514B7661974187E730AF65E04026E77A4FBA8BD0F040578EACD87B55EF38E4A0CB00
                                                                                                                            Function 00007FF69D414360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                            • String ID: U
                                                                                                                            • API String ID: 2456169464-4171548499
                                                                                                                            • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                            • Instruction ID: ec8939957080b23bcffa26b119a93bbd7031a8201636393ff29b7e9dff1535da
                                                                                                                            • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                            • Instruction Fuzzy Hash: D141C522718A9582E720CF65E4443B97760FB99B94F454131EE8DC7788EF7CD451C740
                                                                                                                            Function 00007FF69D3F90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1429681911-3916222277
                                                                                                                            • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                            • Instruction ID: aac57cf3b08a8a6e666ae4f3a034231cbdfd3c58481ca9a04692dad2b8495ca2
                                                                                                                            • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                            • Instruction Fuzzy Hash: 73316C3560A75286EB248F16BA0872AB7B0F788FD1F004535ED8A87B54DE3CE449CB00
                                                                                                                            Function 00007FF69D3EE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InitializeCriticalSection.KERNEL32(?,?,?,00007FF69D3F317F,?,?,00001000,00007FF69D3DE51D), ref: 00007FF69D3EE8BB
                                                                                                                            • CreateSemaphoreW.KERNEL32(?,?,?,00007FF69D3F317F,?,?,00001000,00007FF69D3DE51D), ref: 00007FF69D3EE8CB
                                                                                                                            • CreateEventW.KERNEL32(?,?,?,00007FF69D3F317F,?,?,00001000,00007FF69D3DE51D), ref: 00007FF69D3EE8E4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                            • String ID: Thread pool initialization failed.
                                                                                                                            • API String ID: 3340455307-2182114853
                                                                                                                            • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                            • Instruction ID: 800eb034133a9aa738cf4ab775ea2588a17c21e9a0e9a02576f4b65974a37f2f
                                                                                                                            • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                            • Instruction Fuzzy Hash: 1D210232E1560187F7208F24E4443BD32A2EB98F09F188178CA8C8A285EF7E9855C790
                                                                                                                            Function 00007FF69D3F85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDeviceRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 127614599-3916222277
                                                                                                                            • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                            • Instruction ID: fd24e773a92601c37989c2d88190d4bb32adea80dfe6b5277878a1f579ffde5b
                                                                                                                            • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                            • Instruction Fuzzy Hash: 80E0C220B0964182FB2857BAB68913AA261EB8CFD0F158135DE5F83794EE3CC8C44300
                                                                                                                            Function 00007FF69D3DD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1137671866-0
                                                                                                                            • Opcode ID: c597c77ffa3a5cf0df0928a41409917ec5dcb3ecde7263a5f980a1eda7fd9db7
                                                                                                                            • Instruction ID: d72961649b433b6e50d9e884a2ff31ad33a9c8ca7026e7848c67b183fedc3c26
                                                                                                                            • Opcode Fuzzy Hash: c597c77ffa3a5cf0df0928a41409917ec5dcb3ecde7263a5f980a1eda7fd9db7
                                                                                                                            • Instruction Fuzzy Hash: CEA1C562A1878292EB30DB65E4402BDB371FB96785F405176EADC87AD9EF3CE544CB00
                                                                                                                            Function 00007FF69D3F0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1452528299-0
                                                                                                                            • Opcode ID: 20392d70efa1a0b5fa1d188564afc29056b1d1159c773fe620a4a0763368fe02
                                                                                                                            • Instruction ID: dd4fe1aea2fae8ef8e7e5a9fe4e55456bf46fb90b4ee08779dbd9aa044736987
                                                                                                                            • Opcode Fuzzy Hash: 20392d70efa1a0b5fa1d188564afc29056b1d1159c773fe620a4a0763368fe02
                                                                                                                            • Instruction Fuzzy Hash: FC51D072B14A4699FB209B68D4453FC6321EB96BD8F40427ADA9C97BDAFE3CD144C340
                                                                                                                            Function 00007FF69D3F9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1077098981-0
                                                                                                                            • Opcode ID: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
                                                                                                                            • Instruction ID: 7d37af766169e2bc6b5b3b9dd85bdf7cfb5c67c8fc812e1ec508380150ff9a83
                                                                                                                            • Opcode Fuzzy Hash: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
                                                                                                                            • Instruction Fuzzy Hash: CD519032A18B4686F7208F25E5443AEB7B4FB95B85F500179EA8D97B58EF3CD544CB00
                                                                                                                            Function 00007FF69D40DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4141327611-0
                                                                                                                            • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                            • Instruction ID: e98464615a3456358f8496a957669147f83abf42a40d3443b961be711c0f612a
                                                                                                                            • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                            • Instruction Fuzzy Hash: B3418432A0C68246F7759E10D844379A6A0EFA0FD0F1441B1DBCD87EDAEF6CD8498B00
                                                                                                                            Function 00007FF69D3E3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3823481717-0
                                                                                                                            • Opcode ID: 9a9a58264430c11791c0c606b390f78d08ba3037c1fa37d6a31b7cedc8df9908
                                                                                                                            • Instruction ID: 8c7665df5e5a5d4f4d78f40cb3b3e6c29b4d84fd904e0a2b9ac0b76441022433
                                                                                                                            • Opcode Fuzzy Hash: 9a9a58264430c11791c0c606b390f78d08ba3037c1fa37d6a31b7cedc8df9908
                                                                                                                            • Instruction Fuzzy Hash: 2641B062F14B5185FB10DBB6D8841BC6371FB45BA9B005275DE9DA7AD9EF38D481C300
                                                                                                                            Function 00007FF69D410B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF69D40C45B), ref: 00007FF69D410B91
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF69D40C45B), ref: 00007FF69D410BF3
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF69D40C45B), ref: 00007FF69D410C2D
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF69D40C45B), ref: 00007FF69D410C57
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1557788787-0
                                                                                                                            • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                            • Instruction ID: e153abef6e6f735c486b8916fec965151244e061d9ace7fed916cf3a66b77616
                                                                                                                            • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                            • Instruction Fuzzy Hash: 10216431B1DB5581E7349F11A540029B6A4FB64FD0B484174DEDEA3BD8EF3CE4628B04
                                                                                                                            Function 00007FF69D40D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1447195878-0
                                                                                                                            • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                            • Instruction ID: 6a9226644faf3897bf35acd7de2073b5a1eff16238b5987f2981a991a153b2b0
                                                                                                                            • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                            • Instruction Fuzzy Hash: 27014C10B0960742FB79A731EA5523821A1DF64FD0F0445B8D99ED6BD6FE2CF8494301
                                                                                                                            Function 00007FF69D3F8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDevice$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1035833867-0
                                                                                                                            • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                            • Instruction ID: d6f6667409c7128c99ad505c93630d312929a3978dca8f21a6c806ba87b549c1
                                                                                                                            • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                            • Instruction Fuzzy Hash: 14E01264E0AB0682FF285B7D6A9D176A1A0EF48F42F0845B9CC9FC6350FD3CA495C710
                                                                                                                            Function 00007FF69D3DE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                            • String ID: DXGIDebug.dll
                                                                                                                            • API String ID: 3668304517-540382549
                                                                                                                            • Opcode ID: 59f5a07f3fb2ea719f45a05ba6c1ae5c7d9afb2a0aed67dbb2f715f9973f08e5
                                                                                                                            • Instruction ID: d09296d0cede20d50e65f04f7b168ab2b6dfda92920b289b97cf81f8f9a4bb26
                                                                                                                            • Opcode Fuzzy Hash: 59f5a07f3fb2ea719f45a05ba6c1ae5c7d9afb2a0aed67dbb2f715f9973f08e5
                                                                                                                            • Instruction Fuzzy Hash: 48719D72A14B8186EB24CB65E4403ADB3A9FB55BD4F44423ADBEC47B95EF78E461C300
                                                                                                                            Function 00007FF69D40E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                            • String ID: e+000$gfff
                                                                                                                            • API String ID: 3215553584-3030954782
                                                                                                                            • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                            • Instruction ID: 3b9aa3957a14c5087299e044baa80bcb7d79919472631e54596d9555766a406c
                                                                                                                            • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                            • Instruction Fuzzy Hash: C8510162B187C186E7358B35D940369AA95EBA1FD0F0892B5CBDCC7BD6EE3CE4548700
                                                                                                                            Function 00007FF69D3E9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                            • String ID: SIZE
                                                                                                                            • API String ID: 449872665-3243624926
                                                                                                                            • Opcode ID: 95182320ee7b3a48c420107a4992996f84afbbac13f0d5532198c1d22c251322
                                                                                                                            • Instruction ID: 162e3d49ba85e5c271d01d7e9d1f95066c6bf07760df2ef23f98e64f713eec00
                                                                                                                            • Opcode Fuzzy Hash: 95182320ee7b3a48c420107a4992996f84afbbac13f0d5532198c1d22c251322
                                                                                                                            • Instruction Fuzzy Hash: 2D41D562A1878286EE20DF14E4413BDA350EF96791F504275EBDD866D6FE3CD940C750
                                                                                                                            Function 00007FF69D40C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                            • String ID: C:\Users\user\Desktop\442.docx.exe
                                                                                                                            • API String ID: 3307058713-4147804102
                                                                                                                            • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                            • Instruction ID: 62ea991ea038b34b6eba2afa61e2883c34237bc1478b0d2833c02d20ee100f25
                                                                                                                            • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                            • Instruction Fuzzy Hash: E8416D32A18A52CAEB249F25E9401BC77A8EB54FD4F484075EA8E87B95EF3DE451C300
                                                                                                                            Function 00007FF69D3F9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemText$DialogWindow
                                                                                                                            • String ID: ASKNEXTVOL
                                                                                                                            • API String ID: 445417207-3402441367
                                                                                                                            • Opcode ID: d0a7277abea115b5451496591776496c59c44b7436eace80e69975e6a8ac9e23
                                                                                                                            • Instruction ID: f8bc81644a0c8339fe498928b18d10ae5ca3fc2a62e493eacf6d2a7d20bd1196
                                                                                                                            • Opcode Fuzzy Hash: d0a7277abea115b5451496591776496c59c44b7436eace80e69975e6a8ac9e23
                                                                                                                            • Instruction Fuzzy Hash: 8341C422A0868642FA709F1AE5502BDA391EF86FC1F1400B9DECD87799FF3CE8459750
                                                                                                                            Function 00007FF69D3E9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide_snwprintf
                                                                                                                            • String ID: $%s$@%s
                                                                                                                            • API String ID: 2650857296-834177443
                                                                                                                            • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                            • Instruction ID: 49a3150c45b8eda41c78700885b7469283c7b2cb7024a7e2328760fef92b2cce
                                                                                                                            • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                            • Instruction Fuzzy Hash: BE31D072B18A5696EE208F26E4406FDA3A0EB55BC4F40007ADE8D97795FE3CE905C710
                                                                                                                            Function 00007FF69D40EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 3000768030-2766056989
                                                                                                                            • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                            • Instruction ID: 708756976f2429d2a68ad083857e1810301507a8c4f9a277a2716d855729df91
                                                                                                                            • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                            • Instruction Fuzzy Hash: 16219522A0CA8241EB74CB28D4901396661EB65FB4F280375D6EF877D4EE3DD891C301
                                                                                                                            Function 00007FF69D404078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69D401D3E), ref: 00007FF69D4040BC
                                                                                                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69D401D3E), ref: 00007FF69D404102
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                            • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                            • Instruction ID: 3bb0ae57b1a69e2f99049dfe2d3f20c986899100451075c25a29e5c095d7bd40
                                                                                                                            • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                            • Instruction Fuzzy Hash: D0113A32608B8582EB208B15E44026AB7E1FB98F94F188271DFCD57769EF3DD565CB40
                                                                                                                            Function 00007FF69D3EEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF69D3EE95F,?,?,?,00007FF69D3E463A,?,?,?), ref: 00007FF69D3EEA63
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF69D3EE95F,?,?,?,00007FF69D3E463A,?,?,?), ref: 00007FF69D3EEA6E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastObjectSingleWait
                                                                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                            • API String ID: 1211598281-2248577382
                                                                                                                            • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                            • Instruction ID: 9c033b6e6b6b048d9a5f18ae0806b8025ddb680abba20d70e05b9481327ed041
                                                                                                                            • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                            • Instruction Fuzzy Hash: C1E04F61E1984292F630AB25AC425797220FF61BB1F9003B5D0BEC11F1BF2CA959C701
                                                                                                                            Function 00007FF69D3EA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1734408417.00007FF69D3D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69D3D0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1734297144.00007FF69D3D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734457055.00007FF69D418000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D42B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734484116.00007FF69D434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1734581812.00007FF69D43E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff69d3d0000_442.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindHandleModuleResource
                                                                                                                            • String ID: RTL
                                                                                                                            • API String ID: 3537982541-834975271
                                                                                                                            • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                            • Instruction ID: 0c522995ff451d3bf2bd22da0831f2b8f80feec3a9d7fb961b121c5955b95394
                                                                                                                            • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                            • Instruction Fuzzy Hash: E9D05E92F1960682FF398B71A4497342651DF29F42F4840B8CC8E86391FE3CD4A8C751

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:1%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:5.8%
                                                                                                                            Total number of Nodes:1056
                                                                                                                            Total number of Limit Nodes:13
                                                                                                                            execution_graph 5714 60106b90 5730 60106850 5714->5730 5716 60106ca3 5717 60106ba6 GetCurrentThreadId CreateEventA 5718 60106b9c 5717->5718 5718->5716 5718->5717 5719 60106bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 5718->5719 5725 60106cad 5718->5725 5720 60106c60 GetThreadPriority TlsSetValue 5719->5720 5721 601b242a abort GetModuleHandleA 5719->5721 5720->5716 5720->5721 5723 601b24a9 5721->5723 5724 601b2479 GetProcAddress GetProcAddress 5721->5724 5724->5723 5742 601066e0 GetCurrentThreadId 5725->5742 5753 60106ad0 5725->5753 5727 60106cc8 TlsGetValue 5728 60106ce8 5727->5728 5729 60106cdd 5727->5729 5728->5714 5728->5721 5731 60106861 5730->5731 5732 601068b8 calloc 5731->5732 5733 6010686b 5731->5733 5735 601068d2 5732->5735 5736 60106872 5732->5736 5768 60106570 5733->5768 5737 60106570 3 API calls 5735->5737 5776 6005f7e0 5736->5776 5739 601068d7 5737->5739 5739->5736 5741 601068f8 free 5739->5741 5741->5736 5788 6010a980 5742->5788 5745 60106773 5746 601067f0 fprintf 5745->5746 5747 601067a1 5745->5747 5751 601067a7 5746->5751 5747->5751 5791 6005f980 5747->5791 5751->5725 5754 60106b88 5753->5754 5755 60106add 5753->5755 5754->5727 5799 601064c0 5755->5799 5757 60106aed 5758 60106b18 5757->5758 5759 60106b04 TlsAlloc 5757->5759 5762 6005f7e0 4 API calls 5758->5762 5765 60106b52 fprintf 5758->5765 5766 60106b7a 5758->5766 5759->5758 5760 601b2425 abort 5759->5760 5761 601b242a abort GetModuleHandleA 5760->5761 5763 601b24a9 5761->5763 5764 601b2479 GetProcAddress GetProcAddress 5761->5764 5762->5758 5763->5727 5764->5763 5767 6005f7e0 4 API calls 5765->5767 5766->5727 5767->5758 5769 601066a8 5768->5769 5770 6010657f 5768->5770 5769->5736 5771 60106670 realloc 5770->5771 5772 6010659e malloc 5770->5772 5774 601065b4 5770->5774 5771->5769 5771->5774 5772->5769 5772->5774 5773 60106622 5773->5736 5774->5773 5775 60106642 memmove 5774->5775 5775->5773 5777 6005f810 5776->5777 5778 6005f7f2 5776->5778 5784 6005f440 malloc 5777->5784 5779 6005f806 5778->5779 5782 6005f853 GetCurrentThreadId 5778->5782 5783 6005f7fd 5778->5783 5779->5718 5781 6005f828 SetEvent 5781->5779 5782->5779 5782->5783 5783->5779 5783->5781 5785 6005f49d 5784->5785 5786 6005f45b 5784->5786 5785->5778 5786->5785 5787 6005f493 free 5786->5787 5787->5785 5796 600fb640 5788->5796 5792 6005f9b4 free 5791->5792 5793 6005f993 5791->5793 5792->5751 5794 6005f9a6 free 5793->5794 5795 6005f99a CloseHandle 5793->5795 5794->5792 5795->5794 5797 600fb670 _vsnprintf 5796->5797 5798 600fb65b OutputDebugStringA abort 5796->5798 5797->5798 5798->5745 5800 601064d3 5799->5800 5801 601064e0 5800->5801 5802 601064dd calloc 5800->5802 5804 60106508 calloc 5801->5804 5805 601064ed 5801->5805 5802->5805 5804->5805 5805->5757 6126 60104390 GetModuleHandleW 6127 601043c9 6126->6127 6128 601043b1 GetProcAddress 6126->6128 6128->6127 6158 5fd43670 6160 5fd4367f 6158->6160 6159 5fd43690 6160->6159 6161 5fd45ba6 6160->6161 6162 5fd45bc7 6160->6162 6163 6005f7e0 4 API calls 6161->6163 6164 6005f7e0 4 API calls 6162->6164 6165 5fd45bbb 6163->6165 6167 601aef3a 6164->6167 6166 6005f7e0 4 API calls 6166->6167 6167->6166 6910 5fd41bb0 6912 5fd41bbf 6910->6912 6911 5fd41bd0 6912->6911 6913 6005f7e0 4 API calls 6912->6913 6914 601aee58 6913->6914 6915 5fd43d30 6916 5fd43d68 6915->6916 6918 601adbf0 6 API calls 6916->6918 6919 5fd43dfd 6916->6919 6917 5fd43f1a memcpy 6917->6919 6920 5fd43dba 6918->6920 6919->6917 6922 5fd43f6c memcpy 6919->6922 6920->6919 6921 5fd43dcc memcpy 6920->6921 6921->6919 6922->6919 6923 5fd41cb0 6924 5fd41cbf 6923->6924 6925 5fd41ce1 6924->6925 6927 5fd459f0 6924->6927 6928 5fd45a0e 6927->6928 6929 5fd45a65 6927->6929 6930 5fd45a23 6928->6930 6931 5fd45aaf 6928->6931 6929->6925 6932 5fd45a50 6930->6932 6944 5fd5bfe0 6930->6944 6935 6005f7e0 4 API calls 6931->6935 6933 6005f7e0 4 API calls 6932->6933 6933->6929 6937 601aef1a 6935->6937 6936 5fd45a4a 6936->6932 6938 5fd5f8b0 18 API calls 6936->6938 6939 6005f7e0 4 API calls 6937->6939 6938->6932 6940 601aef2a 6939->6940 6941 6005f7e0 4 API calls 6940->6941 6943 601aef3a 6941->6943 6942 6005f7e0 4 API calls 6942->6943 6943->6942 6945 5fd5c125 6944->6945 6946 5fd5bff5 6944->6946 6948 5fe3bfc0 10 API calls 6945->6948 6947 5fd5c046 6946->6947 6949 5fd5c16c 6946->6949 6950 5fd5c00f 6946->6950 6947->6936 6951 5fd5c146 6948->6951 6955 5fe3bfc0 10 API calls 6949->6955 6952 5fd5c083 6950->6952 6954 5fd5c0e0 6950->6954 6959 5fd5c02d 6950->6959 6953 5fe3c340 10 API calls 6951->6953 6952->6936 6953->6947 6957 5fe3bfc0 10 API calls 6954->6957 6956 5fd5c18d 6955->6956 6958 5fe3c340 10 API calls 6956->6958 6960 5fd5c101 6957->6960 6958->6947 6959->6947 6961 5fdf02e0 3 API calls 6959->6961 6962 5fe3c340 10 API calls 6960->6962 6963 5fd5c095 6961->6963 6964 5fd5c11d 6962->6964 6963->6947 6965 5fd573d0 28 API calls 6963->6965 6964->6936 6965->6947 6966 5fd424b0 6968 5fd42500 6966->6968 6967 5fd426fb memcpy 6967->6968 6968->6967 6168 5fea5740 6170 5fea5759 6168->6170 6169 5fea57b6 6170->6169 6180 5fe84e60 EnterCriticalSection 6170->6180 6172 5fea5773 6172->6169 6181 5fe84ea0 LeaveCriticalSection 6172->6181 6174 5fea578a 6174->6169 6182 5fe84e80 EnterCriticalSection 6174->6182 6177 5fea579b 6177->6169 6179 5fea57a9 6177->6179 6184 5fe351d0 6177->6184 6183 5fe84ea0 LeaveCriticalSection 6179->6183 6180->6172 6181->6174 6182->6177 6183->6169 6185 5fe351e2 6184->6185 6193 5fe351f5 6184->6193 6194 5fe84e80 EnterCriticalSection 6185->6194 6187 5fe351ef 6187->6193 6195 5fe84ea0 LeaveCriticalSection 6187->6195 6189 5fe3521f 6190 5fe3bfc0 10 API calls 6189->6190 6189->6193 6191 5fe35244 6190->6191 6192 5fe3c340 10 API calls 6191->6192 6192->6193 6193->6179 6194->6187 6195->6189 6212 60109640 6213 60109852 _errno 6212->6213 6214 6010966a 6212->6214 6215 60109750 QueryPerformanceFrequency 6214->6215 6216 60109710 GetSystemTimeAsFileTime 6214->6216 6217 60109818 GetCurrentProcess GetProcessTimes 6214->6217 6218 60109678 GetCurrentThread GetThreadTimes 6214->6218 6221 601096b2 6214->6221 6215->6213 6219 60109768 QueryPerformanceCounter 6215->6219 6216->6221 6217->6213 6217->6221 6218->6213 6218->6221 6219->6213 6219->6221 6220 60109702 6221->6220 6222 60109957 _errno 6221->6222 6223 6010989a 6221->6223 6227 6010990b 6222->6227 6224 60109938 6223->6224 6231 601098a2 6223->6231 6226 60109944 6224->6226 6224->6227 6225 60109917 6228 60109be2 _errno 6226->6228 6232 60109a7a 6226->6232 6227->6225 6229 60109a10 _errno 6227->6229 6230 60109991 FileTimeToSystemTime 6227->6230 6243 60109bb3 6228->6243 6238 601099f5 6229->6238 6230->6229 6234 601099e5 SetSystemTime 6230->6234 6245 60109a40 6231->6245 6233 60109a82 GetSystemTimeAsFileTime 6232->6233 6239 60109aa3 6232->6239 6233->6239 6235 60109a23 _errno 6234->6235 6234->6238 6235->6238 6240 60109b15 6239->6240 6239->6243 6257 60108010 6239->6257 6241 60109b21 GetSystemTimeAsFileTime 6240->6241 6242 60109ba7 _errno 6240->6242 6240->6243 6244 60109b5d 6241->6244 6242->6243 6244->6242 6246 60109be2 _errno 6245->6246 6247 60109a6b 6245->6247 6255 60109bb3 6246->6255 6247->6246 6248 60109a7a 6247->6248 6249 60109a82 GetSystemTimeAsFileTime 6248->6249 6251 60109aa3 6248->6251 6249->6251 6250 60108010 103 API calls 6250->6251 6251->6250 6252 60109b15 6251->6252 6251->6255 6253 60109b21 GetSystemTimeAsFileTime 6252->6253 6254 60109ba7 _errno 6252->6254 6252->6255 6256 60109b5d 6253->6256 6254->6255 6255->6227 6256->6254 6258 60106ad0 13 API calls 6257->6258 6259 6010801e TlsGetValue 6258->6259 6260 60108035 6259->6260 6261 60108088 6259->6261 6262 60108060 6260->6262 6263 60108039 6260->6263 6321 60106b90 6261->6321 6266 60107e30 100 API calls 6262->6266 6275 60107e30 6263->6275 6268 60108065 Sleep 6266->6268 6267 6010803e 6269 60108045 6267->6269 6270 60108098 Sleep 6267->6270 6271 60107e30 100 API calls 6268->6271 6273 60107e30 100 API calls 6269->6273 6270->6269 6272 6010807a 6271->6272 6272->6239 6274 60108056 6273->6274 6274->6239 6276 60106ad0 13 API calls 6275->6276 6277 60107e3a TlsGetValue 6276->6277 6278 60107ea0 6277->6278 6282 60107e51 6277->6282 6279 60106b90 39 API calls 6278->6279 6279->6282 6280 60107e60 6280->6267 6281 60107e92 6283 6005f7e0 4 API calls 6281->6283 6282->6280 6282->6281 6284 60107eb1 6282->6284 6285 60107e9a 6283->6285 6286 60107ed1 6284->6286 6287 60107ec7 ResetEvent 6284->6287 6285->6267 6288 6005f7e0 4 API calls 6286->6288 6287->6286 6289 60107ed9 6288->6289 6337 60107d40 6289->6337 6322 60106850 9 API calls 6321->6322 6325 60106b9c 6322->6325 6323 60106ca3 6323->6260 6324 60106ba6 GetCurrentThreadId CreateEventA 6324->6325 6325->6323 6325->6324 6326 60106bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 6325->6326 6332 60106cad 6325->6332 6327 60106c60 GetThreadPriority TlsSetValue 6326->6327 6328 601b242a abort GetModuleHandleA 6326->6328 6327->6323 6327->6328 6330 601b24a9 6328->6330 6331 601b2479 GetProcAddress GetProcAddress 6328->6331 6329 601066e0 8 API calls 6329->6332 6330->6260 6331->6330 6332->6329 6333 60106ad0 13 API calls 6332->6333 6334 60106cc8 TlsGetValue 6333->6334 6335 60106ce8 6334->6335 6336 60106cdd 6334->6336 6335->6321 6335->6328 6336->6260 6338 60107d49 6337->6338 6400 60107cf0 6338->6400 6341 60107cf0 40 API calls 6342 60107d93 6341->6342 6406 60107bb0 6342->6406 6401 60106ad0 13 API calls 6400->6401 6402 60107cf8 TlsGetValue 6401->6402 6403 60107d30 6402->6403 6404 60107d0d 6402->6404 6405 60106b90 39 API calls 6403->6405 6404->6341 6405->6404 6407 60107bbe 6406->6407 6408 60107bd2 6407->6408 6421 60106cf0 6407->6421 6410 60107bd8 longjmp 6408->6410 6411 60107bec TlsGetValue 6408->6411 6410->6411 6412 60107c01 6411->6412 6413 60107c2d _endthreadex 6411->6413 6414 60107c0a 6412->6414 6415 60107c6d 6412->6415 6416 60107c36 CloseHandle 6413->6416 6418 60107c22 6414->6418 6419 60107c18 CloseHandle 6414->6419 6417 60107c77 CloseHandle 6415->6417 6415->6418 6416->6418 6417->6418 6418->6413 6418->6416 6420 60107c55 TlsSetValue 6418->6420 6419->6418 6420->6413 6422 60106e10 6421->6422 6423 60106cf8 6421->6423 6422->6408 6424 6005f7e0 4 API calls 6423->6424 6428 60106d22 6424->6428 6425 60106df1 6425->6408 6428->6425 6429 6010a1f0 6428->6429 6436 6010a500 6428->6436 6445 6010a010 6429->6445 6431 6010a206 6431->6428 6432 6010a202 6432->6431 6433 6005f7e0 4 API calls 6432->6433 6435 6010a237 6432->6435 6433->6435 6434 6005f7e0 malloc free SetEvent GetCurrentThreadId 6434->6435 6435->6434 6438 6010a511 6436->6438 6437 6010a580 6437->6428 6438->6437 6439 6005f7e0 4 API calls 6438->6439 6444 6010a53b 6438->6444 6440 6010a531 6439->6440 6441 6005f7e0 4 API calls 6440->6441 6441->6444 6442 6005f7e0 malloc free SetEvent GetCurrentThreadId 6442->6444 6444->6442 6483 60105b50 6444->6483 6446 6010a060 6445->6446 6448 6010a01e 6445->6448 6449 60109fb0 6446->6449 6448->6432 6450 60109fc2 6449->6450 6451 60109ff0 6450->6451 6454 60109e70 6450->6454 6451->6448 6453 60109fd7 6453->6448 6455 60109e83 calloc 6454->6455 6456 60109f68 6454->6456 6457 60109ea7 6455->6457 6458 60109f09 6455->6458 6456->6453 6459 60109f20 free 6457->6459 6460 60109ed9 6457->6460 6458->6453 6459->6453 6461 60109f40 6460->6461 6462 60109ef0 6460->6462 6464 6005f980 2 API calls 6461->6464 6471 601054a0 6462->6471 6466 60109f4c free 6464->6466 6465 60109f03 6465->6458 6467 6005f980 2 API calls 6465->6467 6466->6453 6468 60109f8c 6467->6468 6469 6005f980 2 API calls 6468->6469 6470 60109f94 free 6469->6470 6470->6458 6472 601055f0 6471->6472 6473 601054c1 6471->6473 6472->6465 6474 601054ce calloc 6473->6474 6475 60105598 6473->6475 6474->6475 6476 601054ec CreateSemaphoreA CreateSemaphoreA 6474->6476 6475->6465 6477 60105555 6476->6477 6478 601055b7 6476->6478 6481 601055a8 CloseHandle 6477->6481 6482 60105559 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 6477->6482 6479 601055c7 free 6478->6479 6480 601055bb CloseHandle 6478->6480 6479->6465 6480->6479 6481->6478 6482->6475 6484 60105b61 6483->6484 6485 60105b81 6483->6485 6484->6485 6486 60105b90 EnterCriticalSection 6484->6486 6485->6444 6487 60105ba6 6486->6487 6493 60105bd9 6486->6493 6488 60105c50 LeaveCriticalSection 6487->6488 6494 60105900 EnterCriticalSection LeaveCriticalSection 6487->6494 6488->6485 6489 60105c1d LeaveCriticalSection 6489->6488 6491 60105bd1 6492 60105c68 LeaveCriticalSection 6491->6492 6491->6493 6492->6485 6493->6488 6493->6489 6495 60105945 6494->6495 6496 60105958 6494->6496 6495->6491 6501 60105620 6496->6501 6498 60105974 EnterCriticalSection 6499 60105982 LeaveCriticalSection 6498->6499 6500 60105998 6498->6500 6499->6491 6500->6499 6502 60105645 6501->6502 6505 60105850 6501->6505 6542 60107ac0 6502->6542 6506 60105898 WaitForSingleObject 6505->6506 6512 60105700 6505->6512 6506->6512 6507 60105710 6510 60105760 6507->6510 6541 6010571a 6507->6541 6509 601057b9 6509->6498 6513 60105820 6510->6513 6519 60107c90 40 API calls 6510->6519 6523 6010578f 6510->6523 6533 6010579c 6510->6533 6511 6010565a 6511->6505 6511->6512 6515 601056c0 6511->6515 6524 60105752 6511->6524 6529 60105698 ResetEvent 6511->6529 6536 60107e30 91 API calls 6511->6536 6548 6005fe90 6511->6548 6512->6509 6514 60105900 EnterCriticalSection LeaveCriticalSection 6512->6514 6516 60107c90 40 API calls 6513->6516 6520 60105945 6514->6520 6521 60105958 6514->6521 6515->6505 6517 601056d0 WaitForSingleObject 6515->6517 6526 60105825 6516->6526 6517->6512 6531 601056f0 6517->6531 6518 60107c90 40 API calls 6518->6524 6519->6510 6520->6498 6530 60105620 91 API calls 6521->6530 6522 601057f8 WaitForSingleObject 6522->6512 6522->6524 6523->6512 6528 60107c90 40 API calls 6523->6528 6524->6512 6527 60107e30 91 API calls 6524->6527 6525 60105743 6525->6512 6525->6518 6525->6524 6526->6533 6534 6010582d WaitForSingleObject 6526->6534 6527->6512 6528->6533 6529->6511 6529->6533 6535 60105974 EnterCriticalSection 6530->6535 6531->6512 6556 60107c90 6531->6556 6532 60107c90 40 API calls 6532->6541 6533->6512 6537 60107e30 91 API calls 6533->6537 6534->6512 6538 60105982 LeaveCriticalSection 6535->6538 6539 60105998 6535->6539 6536->6511 6537->6512 6538->6498 6539->6538 6541->6512 6541->6522 6541->6525 6541->6532 6543 60106ad0 13 API calls 6542->6543 6544 60107ac8 TlsGetValue 6543->6544 6545 60107ae8 6544->6545 6546 6010564e 6544->6546 6547 60106b90 39 API calls 6545->6547 6546->6507 6546->6511 6547->6546 6549 6005fec6 6548->6549 6550 6005ff60 WaitForMultipleObjects 6548->6550 6551 6005fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6549->6551 6553 6005fecf 6549->6553 6555 6005ff2d 6550->6555 6551->6553 6552 6005feec WaitForMultipleObjects 6552->6553 6552->6555 6553->6552 6554 6005fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6553->6554 6553->6555 6554->6553 6555->6511 6557 60107ca0 6556->6557 6558 60107c99 6556->6558 6559 60106ad0 13 API calls 6557->6559 6558->6512 6560 60107ca8 TlsGetValue 6559->6560 6561 60107ce0 6560->6561 6563 60107cbd 6560->6563 6562 60106b90 39 API calls 6561->6562 6562->6563 6563->6512 5806 5fd445a0 5807 5fd445cf 5806->5807 5817 5fd4473c 5806->5817 5808 5fd445d5 5807->5808 5813 5fd44690 5807->5813 5825 601adbf0 malloc 5808->5825 5818 601aed7c 5817->5818 5833 5fd413e0 5817->5833 5820 601aed89 5818->5820 5823 5fd413e0 5 API calls 5818->5823 5822 601aed92 5820->5822 5824 5fd413e0 5 API calls 5820->5824 5823->5820 5824->5822 5826 601adc15 5825->5826 5828 601af994 fwrite 5826->5828 5829 601af9e7 5826->5829 5827 601af9f3 abort free 5827->5829 5830 601af9bd fputs 5828->5830 5829->5827 5832 601afa35 5829->5832 5831 601af9d2 fputc 5830->5831 5831->5829 5836 60104970 5833->5836 5837 60104982 _lock 5836->5837 5838 5fd413f7 5836->5838 5839 601049f0 calloc 5837->5839 5841 60104994 5837->5841 5838->5818 5840 60104a1a _unlock 5839->5840 5839->5841 5840->5838 5842 601049c0 realloc 5841->5842 5843 6010499e _unlock 5841->5843 5842->5840 5844 601049de 5842->5844 5843->5838 5844->5843 6137 5fd422c0 6139 5fd422e6 6137->6139 6138 5fd42403 memcpy 6138->6139 6139->6138 6140 5fd42447 memcpy 6139->6140 6140->6139 6564 5fd41d00 6565 5fd41d0f 6564->6565 6566 5fd41d31 6565->6566 6568 5fd45ac0 6565->6568 6569 5fd45ade 6568->6569 6570 5fd45b35 6568->6570 6572 5fd45af3 6569->6572 6573 5fd45b7f 6569->6573 6570->6566 6571 5fd45b20 6574 6005f7e0 4 API calls 6571->6574 6572->6571 6583 5fd5c8f0 6572->6583 6576 6005f7e0 4 API calls 6573->6576 6574->6570 6578 601aef2a 6576->6578 6577 5fd45b1a 6577->6571 6609 5fd5f8b0 6577->6609 6580 6005f7e0 4 API calls 6578->6580 6582 601aef3a 6580->6582 6581 6005f7e0 4 API calls 6581->6582 6582->6581 6584 5fd5c905 6583->6584 6585 5fd5ca2e 6583->6585 6586 5fd5c95a 6584->6586 6588 5fd5c91c 6584->6588 6592 5fd5cac3 6584->6592 6587 5fe3bfc0 10 API calls 6585->6587 6586->6577 6589 5fd5ca4f 6587->6589 6590 5fd5ca75 6588->6590 6591 5fd5c928 6588->6591 6593 5fe3c340 10 API calls 6589->6593 6597 5fe3bfc0 10 API calls 6590->6597 6594 5fd5c992 6591->6594 6603 5fd5c93d 6591->6603 6595 5fe3bfc0 10 API calls 6592->6595 6593->6586 6599 5fe3bfc0 10 API calls 6594->6599 6596 5fd5cae4 6595->6596 6598 5fe3c340 10 API calls 6596->6598 6600 5fd5ca9d 6597->6600 6598->6586 6601 5fd5c9b7 6599->6601 6602 5fe3c340 10 API calls 6600->6602 6604 5fe3c340 10 API calls 6601->6604 6602->6586 6603->6586 6630 5fdf02e0 6603->6630 6606 5fd5c9d3 6604->6606 6606->6577 6610 5fd5f8c6 6609->6610 6611 5fd5f9a0 6609->6611 6612 5fd5f975 6610->6612 6613 5fd5f9e0 6610->6613 6615 5fd5f8d0 6610->6615 6611->6571 6625 5fd5f952 6612->6625 6860 5fd7d160 6612->6860 6614 5fd7d160 15 API calls 6613->6614 6613->6625 6614->6615 6617 5fd5f904 6615->6617 6619 5fd5fa70 6615->6619 6615->6625 6621 5fd5f918 6617->6621 6841 5fd7d260 6617->6841 6620 5fd7d260 15 API calls 6619->6620 6620->6625 6622 5fd7d260 15 API calls 6621->6622 6624 5fd5f937 6621->6624 6621->6625 6622->6624 6623 5fd7d260 15 API calls 6626 5fd5f940 6623->6626 6624->6623 6624->6625 6624->6626 6625->6571 6626->6625 6627 5fd7d260 15 API calls 6626->6627 6629 5fd5f949 6626->6629 6627->6629 6628 5fd7d260 15 API calls 6628->6625 6629->6625 6629->6628 6631 5fdf02ff 6630->6631 6632 5fd5c9e5 6631->6632 6653 5fe84f80 GetLastError TlsGetValue SetLastError 6631->6653 6632->6586 6634 5fd573d0 6632->6634 6635 5fd574e0 6634->6635 6637 5fd573d8 6634->6637 6635->6586 6636 5fd57449 6636->6586 6637->6636 6644 5fd573fb 6637->6644 6708 5fdf03f0 6637->6708 6640 5fd57591 6640->6586 6641 5fd574cc 6641->6586 6642 5fd5742c 6642->6640 6643 5fd57488 6642->6643 6645 5fd57437 6642->6645 6646 5fe3bfc0 10 API calls 6643->6646 6644->6641 6654 5fdefc10 6644->6654 6645->6636 6647 5fe3bfc0 10 API calls 6645->6647 6649 5fd574b0 6646->6649 6648 5fd57568 6647->6648 6651 5fe3c340 10 API calls 6648->6651 6650 5fe3c340 10 API calls 6649->6650 6650->6641 6652 5fd57584 6651->6652 6652->6586 6653->6632 6655 5fdefc37 6654->6655 6695 5fdefc3b 6655->6695 6711 5fe84f80 GetLastError TlsGetValue SetLastError 6655->6711 6658 5fdefc5c 6659 5fdf0020 6658->6659 6661 5fe712f0 10 API calls 6658->6661 6666 5fdf00b0 6658->6666 6669 5fdefda0 6658->6669 6670 5fdefcb1 SwitchToFiber 6658->6670 6672 5fe84f80 GetLastError TlsGetValue SetLastError 6658->6672 6679 5fdf010c 6658->6679 6680 5fdefd3d memcpy 6658->6680 6681 5fdefec2 CreateFiber 6658->6681 6658->6695 6712 5fe6c050 6658->6712 6718 5fe6c100 6658->6718 6735 5fdef8f0 6658->6735 6767 5fe714d0 6658->6767 6778 5fe71180 6658->6778 6796 5ff84530 ConvertThreadToFiber 6658->6796 6798 5fe84fc0 TlsSetValue 6658->6798 6799 5fe84f80 GetLastError TlsGetValue SetLastError 6659->6799 6661->6658 6662 5fdf003c 6662->6666 6667 5fdf0044 6662->6667 6668 5fe3bfc0 10 API calls 6666->6668 6671 5febd400 13 API calls 6667->6671 6675 5fdf00eb 6668->6675 6683 5fe3bfc0 10 API calls 6669->6683 6676 5fe6c050 4 API calls 6670->6676 6671->6695 6672->6658 6677 5fe3c340 10 API calls 6675->6677 6676->6658 6677->6695 6800 5fe84f80 GetLastError TlsGetValue SetLastError 6679->6800 6680->6658 6681->6658 6684 5fdeffd0 6681->6684 6687 5fdefdc1 6683->6687 6693 5fdefff0 DeleteFiber 6684->6693 6685 5fe6c050 4 API calls 6685->6658 6689 5fe3c340 10 API calls 6687->6689 6688 5fdf0118 6690 5fdf011e 6688->6690 6691 5fdf015c 6688->6691 6692 5fdefddd 6689->6692 6700 5febd400 13 API calls 6690->6700 6697 5fe3bfc0 10 API calls 6691->6697 6722 5fe84f80 GetLastError TlsGetValue SetLastError 6692->6722 6693->6695 6695->6642 6696 5fdefdec 6698 5fdefdf6 6696->6698 6699 5fdeff93 6696->6699 6701 5fdf017d 6697->6701 6723 5febd400 6698->6723 6704 5fe3bfc0 10 API calls 6699->6704 6700->6695 6702 5fe3c340 10 API calls 6701->6702 6702->6695 6706 5fdeffb4 6704->6706 6705 5fdefe26 6705->6642 6707 5fe3c340 10 API calls 6706->6707 6707->6684 6709 5fe714d0 12 API calls 6708->6709 6710 5fdf040f 6709->6710 6710->6644 6711->6658 6714 5fe6c06d 6712->6714 6713 5fe6c086 6716 5fe6c0ae 6713->6716 6802 5fe84fc0 TlsSetValue 6713->6802 6714->6713 6801 5fe84f80 GetLastError TlsGetValue SetLastError 6714->6801 6716->6658 6719 5fdefd72 SwitchToFiber 6718->6719 6720 5fe6c110 6718->6720 6719->6685 6720->6719 6803 5fe84f80 GetLastError TlsGetValue SetLastError 6720->6803 6722->6696 6724 5febd411 6723->6724 6731 5febd43a 6723->6731 6725 5febd41b 6724->6725 6726 5febd484 6724->6726 6804 5febc640 6725->6804 6729 5fe3bfc0 10 API calls 6726->6729 6728 5febd429 6728->6731 6733 5febd453 memmove 6728->6733 6730 5febd4a5 6729->6730 6732 5fe3c340 10 API calls 6730->6732 6731->6705 6734 5febd4c1 6732->6734 6733->6731 6734->6705 6736 5fdefa40 6735->6736 6738 5fdef905 6735->6738 6737 5fe3bfc0 10 API calls 6736->6737 6740 5fdefa63 6737->6740 6739 5fe71180 19 API calls 6738->6739 6764 5fdef925 6738->6764 6741 5fdef94d 6739->6741 6742 5fe3c340 10 API calls 6740->6742 6744 5fe714d0 12 API calls 6741->6744 6741->6764 6743 5fdefa7f 6742->6743 6743->6658 6745 5fdef96d 6744->6745 6745->6764 6822 5febcb80 6745->6822 6747 5fdef983 6748 5fdefbb4 6747->6748 6751 5fdef98d 6747->6751 6753 5fe3bfc0 10 API calls 6748->6753 6749 5fdef99a 6835 5fe84fc0 TlsSetValue 6749->6835 6750 5fe714d0 12 API calls 6750->6751 6751->6749 6751->6750 6754 5fdef9a0 CreateFiber 6751->6754 6758 5febd400 13 API calls 6751->6758 6755 5fdefbd5 6753->6755 6754->6751 6756 5fdefa90 6754->6756 6757 5fe3c340 10 API calls 6755->6757 6760 5fdefaab DeleteFiber 6756->6760 6757->6764 6758->6751 6759 5fdefa23 6761 5fe3bfc0 10 API calls 6759->6761 6759->6764 6760->6749 6762 5fdefb01 6761->6762 6763 5fe3c340 10 API calls 6762->6763 6766 5fdefb1d 6763->6766 6764->6658 6765 5fdefb5b DeleteFiber 6765->6766 6766->6764 6766->6765 6768 5fe71542 6767->6768 6769 5fe714ef 6767->6769 6770 5fe71559 malloc 6768->6770 6777 5fe7150c 6768->6777 6772 5fe71520 6769->6772 6773 5fe71506 6769->6773 6771 5fe71524 memset 6770->6771 6770->6773 6771->6658 6772->6771 6772->6777 6774 5fe3bfc0 10 API calls 6773->6774 6773->6777 6775 5fe71586 6774->6775 6776 5fe3c340 10 API calls 6775->6776 6776->6777 6777->6658 6836 5fe84f80 GetLastError TlsGetValue SetLastError 6778->6836 6780 5fe71192 6781 5fe71198 6780->6781 6783 5fe714d0 12 API calls 6780->6783 6782 5fe712f0 10 API calls 6781->6782 6789 5fe711b4 6782->6789 6784 5fe711ff 6783->6784 6784->6789 6837 5fe84fc0 TlsSetValue 6784->6837 6786 5fe71257 6839 5fe84fc0 TlsSetValue 6786->6839 6788 5fe71215 6788->6786 6788->6789 6838 5fe84e80 EnterCriticalSection 6788->6838 6789->6658 6791 5fe71253 6791->6786 6792 5febd400 13 API calls 6791->6792 6793 5fe7129e 6792->6793 6840 5fe84ea0 LeaveCriticalSection 6793->6840 6795 5fe712ab 6795->6781 6795->6786 6797 5ff8454e 6796->6797 6797->6658 6798->6658 6799->6662 6800->6688 6801->6713 6802->6716 6803->6719 6805 5febc65e 6804->6805 6807 5febc710 6804->6807 6806 5febc7c5 6805->6806 6818 5febc67b 6805->6818 6808 5fe714d0 12 API calls 6806->6808 6809 5fe3bfc0 10 API calls 6807->6809 6817 5febc6b1 6808->6817 6811 5febc731 6809->6811 6810 5febc77c 6815 5fe3bfc0 10 API calls 6810->6815 6813 5fe3c340 10 API calls 6811->6813 6812 5fe713c0 free 6812->6817 6814 5febc74d 6813->6814 6814->6728 6819 5febc79d 6815->6819 6816 5febc686 6816->6812 6816->6817 6817->6728 6818->6810 6818->6816 6818->6817 6820 5fe3c340 10 API calls 6819->6820 6821 5febc7b9 6820->6821 6821->6728 6823 5fe714d0 12 API calls 6822->6823 6824 5febcba5 6823->6824 6825 5febcbc3 6824->6825 6826 5febcc20 6824->6826 6834 5febcc03 6824->6834 6827 5febcbdb 6825->6827 6828 5febcca0 6825->6828 6830 5fe3bfc0 10 API calls 6826->6830 6831 5fe713c0 free 6827->6831 6827->6834 6829 5fe714d0 12 API calls 6828->6829 6829->6834 6832 5febcc41 6830->6832 6831->6834 6833 5fe3c340 10 API calls 6832->6833 6833->6834 6834->6747 6835->6759 6836->6780 6837->6788 6838->6791 6839->6789 6840->6795 6842 5fd7d271 6841->6842 6843 5fd7d320 6841->6843 6844 5fd7d305 6842->6844 6845 5fd7d27c 6842->6845 6846 5fd78640 10 API calls 6843->6846 6886 5fec22f0 EnterCriticalSection 6844->6886 6848 5fd7d281 6845->6848 6849 5fd7d2c0 6845->6849 6850 5fd7d2f4 6846->6850 6878 5fec22f0 EnterCriticalSection 6848->6878 6880 5fd78640 6849->6880 6853 5fd7d2f8 6850->6853 6854 601af741 GetModuleHandleA 6850->6854 6853->6621 6856 601af7e9 6854->6856 6857 601af7b9 GetProcAddress GetProcAddress 6854->6857 6855 5fd7d28f 6879 5fec2330 LeaveCriticalSection 6855->6879 6856->6621 6857->6856 6859 5fd7d2b1 6859->6621 6861 5fd7d225 6860->6861 6862 5fd7d173 6860->6862 6865 5fd78640 10 API calls 6861->6865 6863 5fd7d200 6862->6863 6864 5fd7d17e 6862->6864 6889 5fec22f0 EnterCriticalSection 6863->6889 6867 5fd7d183 6864->6867 6868 5fd7d1c0 6864->6868 6870 5fd7d1f4 6865->6870 6887 5fec22f0 EnterCriticalSection 6867->6887 6871 5fd78640 10 API calls 6868->6871 6872 5fd7d1ac 6870->6872 6874 601af741 GetModuleHandleA 6870->6874 6871->6870 6872->6625 6873 5fd7d191 6888 5fec2330 LeaveCriticalSection 6873->6888 6876 601af7e9 6874->6876 6877 601af7b9 GetProcAddress GetProcAddress 6874->6877 6876->6625 6877->6876 6878->6855 6879->6859 6881 5fd78648 6880->6881 6882 5fe3bfc0 10 API calls 6881->6882 6883 5fd78664 6882->6883 6884 5fe3c0e0 10 API calls 6883->6884 6885 5fd78688 6884->6885 6885->6850 6886->6855 6887->6873 6888->6872 6889->6873 6890 5fd41c80 6892 5fd41c8f 6890->6892 6891 5fd41c9d 6892->6891 6893 6005f7e0 4 API calls 6892->6893 6894 601aef0a 6893->6894 6895 6005f7e0 4 API calls 6894->6895 6896 601aef1a 6895->6896 6897 6005f7e0 4 API calls 6896->6897 6898 601aef2a 6897->6898 6899 6005f7e0 4 API calls 6898->6899 6901 601aef3a 6899->6901 6900 6005f7e0 4 API calls 6900->6901 6901->6900 6969 5fd42aa0 6972 5fd42b7e 6969->6972 6970 5fd43260 6971 5fd43287 memcpy 6970->6971 6973 5fd43380 6971->6973 6972->6970 6972->6973 6974 5fd43221 memcpy 6972->6974 6975 5fd433a1 memcpy 6973->6975 6974->6970 5845 5fe712f0 5846 5fe71332 5845->5846 5849 5fe7130e 5845->5849 5847 5fe71349 malloc 5846->5847 5853 5fe71329 5846->5853 5848 5fe71355 5847->5848 5847->5849 5849->5853 5854 5fe3bfc0 5849->5854 5856 5fe3bfd8 5854->5856 5855 5fe3c043 5864 5fe3c340 5855->5864 5856->5855 5857 5fe3c055 strlen 5856->5857 5859 5fe3c00c 5856->5859 5867 5fe712f0 5857->5867 5859->5855 5862 5fe3c090 strlen 5859->5862 5860 5fe3c078 5860->5859 5861 5fe3c082 strcpy 5860->5861 5861->5859 5863 5fe712f0 7 API calls 5862->5863 5863->5855 5876 5fe3c0e0 5864->5876 5866 5fe3c367 5866->5853 5868 5fe71332 5867->5868 5871 5fe7130e 5867->5871 5869 5fe71349 malloc 5868->5869 5875 5fe71329 5868->5875 5870 5fe71355 5869->5870 5869->5871 5870->5860 5872 5fe3bfc0 9 API calls 5871->5872 5871->5875 5873 5fe71379 5872->5873 5874 5fe3c340 9 API calls 5873->5874 5874->5875 5875->5860 5877 5fe3c0ec 5876->5877 5878 5fe3c137 5877->5878 5879 5fe713c0 free 5877->5879 5886 5fe3c16c 5877->5886 5880 5fe3c271 5878->5880 5881 5fe3c13f 5878->5881 5879->5878 5891 5fdf8a30 5880->5891 5887 5fe713c0 5881->5887 5885 5fe713c0 free 5885->5886 5886->5866 5888 5fe713e1 5887->5888 5889 5fe71440 free 5888->5889 5890 5fe713f8 5888->5890 5889->5890 5890->5886 5894 5fdf7c60 5891->5894 5899 5fdf7cad 5894->5899 5895 5fdf7cbc 5902 5fdf6700 5895->5902 5897 5fdf6700 10 API calls 5897->5899 5898 5fdf7cde 5898->5885 5899->5895 5899->5897 5899->5898 5911 5fdf7610 5899->5911 5930 5fdf6850 5899->5930 5904 5fdf6713 5902->5904 5903 5fdf6723 5903->5898 5904->5903 5905 5fdf679e 5904->5905 5906 5fdf67d1 5904->5906 5907 5fe713c0 free 5905->5907 5908 5fe712f0 9 API calls 5906->5908 5907->5903 5909 5fdf67e9 5908->5909 5909->5903 5910 5fdf680b memcpy 5909->5910 5910->5903 5913 5fdf77d1 5911->5913 5914 5fdf765b 5911->5914 5912 5fe712f0 7 API calls 5912->5913 5913->5912 5916 5fdf7a31 memcpy 5913->5916 5917 5fdf6700 7 API calls 5913->5917 5921 5fdf788e 5913->5921 5922 5fe713c0 free 5913->5922 5923 5fdf786d 5913->5923 5924 5fdf7a73 5913->5924 5915 5fdf7767 strlen 5914->5915 5915->5913 5916->5913 5917->5913 5918 5fdf78d1 5919 5fdf6700 7 API calls 5918->5919 5918->5923 5928 5fdf7bf5 5918->5928 5919->5918 5920 5fdf6700 7 API calls 5920->5921 5921->5918 5921->5920 5921->5923 5922->5913 5923->5899 5924->5923 5925 5fe712f0 7 API calls 5924->5925 5926 5fe713c0 free 5924->5926 5929 5fdf7b9e memcpy 5924->5929 5925->5924 5926->5924 5927 5fdf6700 7 API calls 5927->5928 5928->5923 5928->5927 5929->5924 5952 5fdf6892 5930->5952 5931 5fdf6ddf 5932 5fdf6700 9 API calls 5931->5932 5933 5fdf6e06 5932->5933 5933->5899 5934 5fdf72e0 5935 5fdf6700 9 API calls 5934->5935 5939 5fdf7389 5934->5939 5943 5fdf7337 5935->5943 5936 5fdf7474 5938 5fdf6700 9 API calls 5936->5938 5946 5fdf74ab 5936->5946 5937 5fdf6700 9 API calls 5937->5939 5940 5fdf7552 5938->5940 5939->5936 5939->5937 5941 5fdf6d2f 5939->5941 5940->5941 5944 5fdf75d7 5940->5944 5945 5fdf7562 5940->5945 5941->5899 5942 5fdf6700 9 API calls 5942->5946 5943->5939 5943->5941 5947 5fdf6700 9 API calls 5943->5947 5949 5fdf6700 9 API calls 5944->5949 5948 5fdf6700 9 API calls 5945->5948 5946->5941 5946->5942 5947->5943 5950 5fdf7583 5948->5950 5949->5950 5950->5941 5950->5946 5951 5fdf6700 9 API calls 5950->5951 5951->5950 5952->5931 5952->5934 5952->5936 5952->5941 5954 5fdf6ca1 5952->5954 5953 5fdf6ce0 5956 5fdf6700 9 API calls 5953->5956 5959 5fdf6cf0 5953->5959 5954->5953 5955 5fdf6fab 5954->5955 5958 5fdf6fb3 5954->5958 5963 5fdf6ffe 5954->5963 5955->5953 5955->5958 5956->5959 5957 5fdf6700 9 API calls 5957->5959 5960 5fdf6700 9 API calls 5958->5960 5962 5fdf6fbf 5958->5962 5959->5934 5959->5941 5959->5957 5960->5962 5961 5fdf6700 9 API calls 5961->5962 5962->5941 5962->5959 5962->5961 5963->5941 5963->5953 5964 5fe713c0 free 5963->5964 5965 5fe712f0 9 API calls 5963->5965 5966 5fdf712e memcpy 5963->5966 5964->5963 5965->5963 5966->5963 6141 6018a400 6142 6018a413 6141->6142 6157 6018a4d0 6141->6157 6143 6018a500 6142->6143 6144 6018a427 6142->6144 6145 6018a50d 6143->6145 6146 6018a520 memset 6143->6146 6147 6018a540 6144->6147 6148 6018a452 6144->6148 6153 6018a55a 6144->6153 6146->6145 6150 601adbf0 6 API calls 6147->6150 6151 601adbf0 6 API calls 6148->6151 6149 6018a598 memset 6152 6018a572 6149->6152 6150->6153 6154 6018a46b 6151->6154 6155 6018a4ab memmove 6152->6155 6152->6157 6153->6149 6153->6152 6154->6155 6156 6018a480 memset 6154->6156 6155->6157 6156->6155 6199 5fe9b650 6202 5fe99fc0 6199->6202 6201 5fe9b687 6204 5fe9a010 6202->6204 6203 5fe9a03d 6203->6201 6204->6203 6205 5fe3bfc0 10 API calls 6204->6205 6206 5fe9a091 6205->6206 6207 5fe3c340 10 API calls 6206->6207 6207->6203 6976 5fe92210 6977 5fe9221b 6976->6977 6978 5fe92239 6976->6978 6977->6978 6980 5fe91d20 6977->6980 6981 5fe91d54 6980->6981 6982 5fe91dc0 6981->6982 7000 5fe84e60 EnterCriticalSection 6981->7000 6984 5fe3bfc0 10 API calls 6982->6984 6987 5fe91de1 6984->6987 6985 5fe91d82 6985->6982 6986 5fe91d86 6985->6986 6988 5fe91d8f 6986->6988 6989 5fe91e04 6986->6989 6990 5fe3c340 10 API calls 6987->6990 7001 5fe84ea0 LeaveCriticalSection 6988->7001 7002 5fe84ea0 LeaveCriticalSection 6989->7002 6991 5fe91dfd 6990->6991 6991->6978 6993 5fe91dae 6995 5fe3bfc0 10 API calls 6993->6995 6996 5fe91db2 6993->6996 6997 5fe91e32 6995->6997 6996->6978 6998 5fe3c340 10 API calls 6997->6998 6999 5fe91e4e 6998->6999 6999->6978 7000->6985 7001->6993 7002->6993 5967 601ae260 5969 601ae286 5967->5969 5971 601ae2d2 5967->5971 5968 601ae348 5969->5971 6016 60157c80 5969->6016 5971->5968 5975 601ae53a 5971->5975 5987 601ae487 5971->5987 5991 601ae4e0 5971->5991 5972 601ae50d 5973 601ae4a0 5976 601ae7d6 5973->5976 5996 601ae4b0 5973->5996 6027 6010bac0 5975->6027 5977 6010bac0 31 API calls 5976->5977 5981 601ae7e9 5977->5981 5980 601ae4cc 5983 600f8ba0 7 API calls 5980->5983 5984 6010bc80 31 API calls 5981->5984 5983->5991 5986 601ae7f7 5984->5986 5988 6010bc80 31 API calls 5986->5988 5987->5973 5992 601ae680 5987->5992 6002 601ae55b 5987->6002 5989 601ae800 5988->5989 5989->5996 5990 601ae9dc 5990->5991 5993 601af844 abort 5990->5993 5991->5972 6004 601af871 5991->6004 5992->5973 5992->5990 5992->5991 5992->5996 5998 601ae946 5992->5998 5993->5991 5995 6010bc80 31 API calls 5995->6002 5996->5991 6020 600f8ba0 5996->6020 5998->5992 6071 6010bd40 5998->6071 6095 6010ba50 5998->6095 6101 6010bb90 5998->6101 5999 6010bd40 31 API calls 5999->6002 6000 6010bac0 31 API calls 6000->6004 6002->5987 6002->5995 6002->5999 6056 601add60 6002->6056 6003 6010bb90 31 API calls 6003->6004 6004->6000 6004->6003 6005 601af907 6004->6005 6006 601af92f abort 6005->6006 6007 601adce0 6006->6007 6008 601af93d abort 6007->6008 6009 601af944 6008->6009 6011 601af994 fwrite 6009->6011 6014 601af9e7 6009->6014 6010 601af9f3 abort free 6010->6014 6012 601af9bd fputs 6011->6012 6013 601af9d2 fputc 6012->6013 6013->6014 6014->6010 6015 601afa35 6014->6015 6017 60157c90 6016->6017 6018 60157cb8 6016->6018 6017->6018 6019 60157c9a strcmp 6017->6019 6018->5971 6019->6018 6021 600f8bb9 6020->6021 6022 601b2382 6 API calls 6020->6022 6021->6022 6025 600f8bd9 6021->6025 6023 601b23ea rand_s 6022->6023 6024 601b23e9 6022->6024 6026 601b23fe 6023->6026 6024->5980 6025->5980 6026->5980 6028 6010bad3 6027->6028 6029 6010bc80 31 API calls 6028->6029 6031 6010bae8 6028->6031 6030 6010bb6c 6029->6030 6032 6010bd40 31 API calls 6030->6032 6033 6010bc80 6031->6033 6032->6031 6034 6010bcb0 6033->6034 6035 6010bc84 6033->6035 6034->6002 6036 601af818 abort 6035->6036 6037 6010bc94 6035->6037 6038 601af820 6036->6038 6037->6002 6039 601af82c abort 6038->6039 6040 601af831 6038->6040 6039->6040 6041 601af844 abort 6040->6041 6044 601af849 6040->6044 6041->6044 6042 6010bac0 21 API calls 6042->6044 6043 6010bb90 21 API calls 6043->6044 6044->6042 6044->6043 6045 601af907 6044->6045 6046 601af92f abort 6045->6046 6047 601adce0 6046->6047 6048 601af93d abort 6047->6048 6049 601af944 6048->6049 6051 601af994 fwrite 6049->6051 6054 601af9e7 6049->6054 6050 601af9f3 abort free 6050->6054 6052 601af9bd fputs 6051->6052 6053 601af9d2 fputc 6052->6053 6053->6054 6054->6050 6055 601afa35 6054->6055 6059 601add6e 6056->6059 6057 6010bac0 31 API calls 6057->6059 6058 6010bb90 31 API calls 6058->6059 6059->6057 6059->6058 6060 601af907 6059->6060 6061 601af92f abort 6060->6061 6062 601adce0 6061->6062 6063 601af93d abort 6062->6063 6064 601af944 6063->6064 6066 601af994 fwrite 6064->6066 6069 601af9e7 6064->6069 6065 601af9f3 abort free 6065->6069 6067 601af9bd fputs 6066->6067 6068 601af9d2 fputc 6067->6068 6068->6069 6069->6065 6070 601afa35 6069->6070 6072 6010bda0 6071->6072 6073 6010bd4d 6071->6073 6072->5998 6074 601af810 abort 6073->6074 6077 6010bd5a 6073->6077 6075 601af818 abort 6074->6075 6076 601af820 6075->6076 6078 601af82c abort 6076->6078 6079 601af831 6076->6079 6077->5998 6078->6079 6080 601af844 abort 6079->6080 6082 601af849 6079->6082 6080->6082 6081 6010bac0 20 API calls 6081->6082 6082->6081 6083 6010bb90 20 API calls 6082->6083 6084 601af907 6082->6084 6083->6082 6085 601af92f abort 6084->6085 6086 601adce0 6085->6086 6087 601af93d abort 6086->6087 6088 601af944 6087->6088 6090 601af994 fwrite 6088->6090 6093 601af9e7 6088->6093 6089 601af9f3 abort free 6089->6093 6091 601af9bd fputs 6090->6091 6092 601af9d2 fputc 6091->6092 6092->6093 6093->6089 6094 601afa35 6093->6094 6096 6010ba72 6095->6096 6097 6010bc80 31 API calls 6096->6097 6100 6010bab3 6096->6100 6098 6010bb6c 6097->6098 6099 6010bd40 31 API calls 6098->6099 6099->6100 6100->5998 6104 6010bbb8 6101->6104 6102 6010bd40 21 API calls 6102->6104 6103 6010bc68 6106 601af82c abort 6103->6106 6107 601af831 6103->6107 6104->6102 6104->6103 6105 6010ba50 21 API calls 6104->6105 6108 6010bc2a 6104->6108 6105->6104 6106->6107 6110 601af844 abort 6107->6110 6114 601af849 6107->6114 6109 601af818 abort 6108->6109 6111 6010bc36 6108->6111 6109->6103 6110->6114 6111->5998 6112 6010bac0 21 API calls 6112->6114 6113 6010bb90 21 API calls 6113->6114 6114->6112 6114->6113 6115 601af907 6114->6115 6116 601af92f abort 6115->6116 6117 601adce0 6116->6117 6118 601af93d abort 6117->6118 6119 601af944 6118->6119 6121 601af994 fwrite 6119->6121 6124 601af9e7 6119->6124 6120 601af9f3 abort free 6120->6124 6122 601af9bd fputs 6121->6122 6123 601af9d2 fputc 6122->6123 6123->6124 6124->6120 6125 601afa35 6124->6125 6208 601a2320 6209 601a23b2 6208->6209 6211 601a2330 6208->6211 6210 601adbf0 6 API calls 6209->6210 6210->6211 6211->6211

                                                                                                                            Executed Functions

                                                                                                                            Function 60106B90 Relevance: 19.6, APIs: 13, Instructions: 128threadlibraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 60106BAD
                                                                                                                            • CreateEventA.KERNEL32 ref: 60106BD5
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 60106C17
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 60106C1B
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 60106C23
                                                                                                                            • DuplicateHandle.KERNELBASE ref: 60106C4F
                                                                                                                            • GetThreadPriority.KERNEL32 ref: 60106C66
                                                                                                                            • TlsSetValue.KERNEL32 ref: 60106C92
                                                                                                                            • TlsGetValue.KERNEL32 ref: 60106CD0
                                                                                                                            • abort.MSVCRT(?,?,?,431BDE83,60109B07), ref: 601B242A
                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,60109B07), ref: 601B246C
                                                                                                                            • GetProcAddress.KERNEL32 ref: 601B248C
                                                                                                                            • GetProcAddress.KERNEL32 ref: 601B24A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1214264455-0
                                                                                                                            • Opcode ID: cc3f782d726c9b10ada8c1661268a44ed87f1a48f0fc5a1a5d10606c37f32581
                                                                                                                            • Instruction ID: f165c34949b04727578e64af2eac9101a35efa7e2c4327836da4bd13de4eb8d2
                                                                                                                            • Opcode Fuzzy Hash: cc3f782d726c9b10ada8c1661268a44ed87f1a48f0fc5a1a5d10606c37f32581
                                                                                                                            • Instruction Fuzzy Hash: 4E4159B18053108FEB00AF79D98931ABFF8FB65315F404A2DE89597251E774D888CFA2
                                                                                                                            Function 600F8BA0 Relevance: 24.1, APIs: 16, Instructions: 67COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4206212132-0
                                                                                                                            • Opcode ID: a08c408fcbaad1dbc1d59989a0049a24b4d96f6aad900431486d676ad840af63
                                                                                                                            • Instruction ID: 561049e5d7d9db3bd3d355efddfca7c0391e04915b3d918894f6038ccfea44d8
                                                                                                                            • Opcode Fuzzy Hash: a08c408fcbaad1dbc1d59989a0049a24b4d96f6aad900431486d676ad840af63
                                                                                                                            • Instruction Fuzzy Hash: 960184F05442168BD700EF39C4C176A7FE87B76305F850855E8805B351DB3C9889A7B5
                                                                                                                            Function 60104970 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _lock_unlockcalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3876498383-0
                                                                                                                            • Opcode ID: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                            • Instruction ID: ad3daaffbbed6d70e7dd58c443f2ab601e6a74a3a8fd81b751094aafb8729576
                                                                                                                            • Opcode Fuzzy Hash: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                            • Instruction Fuzzy Hash: 61113AB1604211CFDB40DF28C5C061ABBE5BFB9244F158669D8D9CB245EF34D840CBA2
                                                                                                                            Function 5FE712F0 Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 44 5fe712f0-5fe7130c 45 5fe71332-5fe71334 44->45 46 5fe7130e-5fe7131d 44->46 47 5fe71336-5fe7133d 45->47 48 5fe71329 45->48 50 5fe7132b-5fe71331 46->50 53 5fe7131f-5fe71321 46->53 51 5fe7133f 47->51 52 5fe71349-5fe71353 malloc 47->52 48->50 51->52 54 5fe71355-5fe7135b 52->54 55 5fe71323-5fe71327 52->55 53->50 53->55 55->48 56 5fe71360-5fe71397 call 5fe3beb0 call 5fe3bfc0 call 5fe3c340 55->56 56->50
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2803490479-0
                                                                                                                            • Opcode ID: 329026c8c4bdf674a66ebc422acf2704bdb8e7efe514b3856df804ba5aac1a01
                                                                                                                            • Instruction ID: 64b516fa1c83314311ad903b1fd28b7903c3f0a7a6b6430da4b5a9201043392b
                                                                                                                            • Opcode Fuzzy Hash: 329026c8c4bdf674a66ebc422acf2704bdb8e7efe514b3856df804ba5aac1a01
                                                                                                                            • Instruction Fuzzy Hash: 2E11A1B1A0A341ABD7006F69DC8066FBBE4AF84658F414D1EE4C587A41DB38E5408B83

                                                                                                                            Non-executed Functions

                                                                                                                            Function 60106AD0 Relevance: 10.6, APIs: 7, Instructions: 93libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 700 60106ad0-60106ad7 701 60106b88 700->701 702 60106add-60106b02 call 601064c0 call 6005f4b0 700->702 707 60106b40-60106b43 702->707 708 60106b04-60106b12 TlsAlloc 702->708 711 60106b22-60106b2c call 6005f7e0 707->711 712 60106b45-60106b78 fprintf call 6005f7e0 707->712 709 60106b18 708->709 710 601b2425-601b2477 abort * 2 GetModuleHandleA 708->710 709->711 715 601b24a9-601b24ae 710->715 716 601b2479-601b24a8 GetProcAddress * 2 710->716 719 60106b7a-60106b80 711->719 720 60106b2e-60106b35 711->720 712->719 712->720 716->715 720->707
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 601064C0: calloc.MSVCRT ref: 6010654E
                                                                                                                            • TlsAlloc.KERNEL32(?,?,00000000,6010801E,?,?,?,431BDE83,60109B07), ref: 60106B04
                                                                                                                            • fprintf.MSVCRT ref: 60106B69
                                                                                                                            • abort.MSVCRT(?,?,?,431BDE83,60109B07), ref: 601B2425
                                                                                                                            • abort.MSVCRT(?,?,?,431BDE83,60109B07), ref: 601B242A
                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,60109B07), ref: 601B246C
                                                                                                                            • GetProcAddress.KERNEL32 ref: 601B248C
                                                                                                                            • GetProcAddress.KERNEL32 ref: 601B24A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProcabort$AllocHandleModulecallocfprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2703921052-0
                                                                                                                            • Opcode ID: f0e3cd144e5a773126cb41a65f348dd06fc2d4d69a69027509bbbda40c74a7de
                                                                                                                            • Instruction ID: 8df681b8fa229ae174f6eb71a6e328503a98481df702fb259d78e6e6b0bba380
                                                                                                                            • Opcode Fuzzy Hash: f0e3cd144e5a773126cb41a65f348dd06fc2d4d69a69027509bbbda40c74a7de
                                                                                                                            • Instruction Fuzzy Hash: F93180F15042148FDB01AF28D98672ABFF8FB76325F01452DE5C597320EB7898848F56
                                                                                                                            Function 5FD43D30 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3510742995-0
                                                                                                                            • Opcode ID: 021b4043af7256faa02c23b417563f10ba572db4cbb3459db1066a4e0aa47277
                                                                                                                            • Instruction ID: 834c93209eef1264602488e4e713ff6a783002ebb25527faf0704fb697dc7041
                                                                                                                            • Opcode Fuzzy Hash: 021b4043af7256faa02c23b417563f10ba572db4cbb3459db1066a4e0aa47277
                                                                                                                            • Instruction Fuzzy Hash: F751E1B8E043589FCB44DFA8C484ACEBBF4BF59304F10852EE884AB345D7B5A845DB91
                                                                                                                            Function 5FD442D0 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3510742995-0
                                                                                                                            • Opcode ID: f9129bb6c1dabde803bf3800021be58ddf73fc87b8c730430f3298e0244bdb69
                                                                                                                            • Instruction ID: 71b06b1115ebcdb204e894adc3a1c68b2b588ec925f7457a1c8077e9534d8619
                                                                                                                            • Opcode Fuzzy Hash: f9129bb6c1dabde803bf3800021be58ddf73fc87b8c730430f3298e0244bdb69
                                                                                                                            • Instruction Fuzzy Hash: BF51E4B8D043589FCB40DFA8C4846DEBBF4BF5A704F11852EE884AB345E7B49885CB91
                                                                                                                            Function 5FD44000 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3510742995-0
                                                                                                                            • Opcode ID: 34ed20bfd4ff10552310d543bb5a16233bda1a8b8c3d52a1aeb16274f675d895
                                                                                                                            • Instruction ID: 44356a01ab05d010725242c5c34ded1d3a22b8a7efa05b40a82516730f44d5b7
                                                                                                                            • Opcode Fuzzy Hash: 34ed20bfd4ff10552310d543bb5a16233bda1a8b8c3d52a1aeb16274f675d895
                                                                                                                            • Instruction Fuzzy Hash: BC51D3B8D043589FCB40DFA8C4846DEBBF4BF5A304F11852EE884AB345E7B59985CB91
                                                                                                                            Function 5FD445A0 Relevance: 2.7, APIs: 2, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 962570267-0
                                                                                                                            • Opcode ID: de02c8518b7479e382a80e2b58ce8070548ff2ede68eb3df6602db689e86d224
                                                                                                                            • Instruction ID: b72e03c04f9eeb16f27488e0564175b7d275ac63971e3f584baf59e266652f14
                                                                                                                            • Opcode Fuzzy Hash: de02c8518b7479e382a80e2b58ce8070548ff2ede68eb3df6602db689e86d224
                                                                                                                            • Instruction Fuzzy Hash: 53613BB54093408FD741DF69C48435ABFE0BFAA348F114E6EE4C8A7651E7B59288CB93
                                                                                                                            Function 5FD43AE0 Relevance: 1.3, APIs: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 02693c5921bac1e70d139a727fadfdc5fefcc228c56b08ea703de4d60bd5c8ea
                                                                                                                            • Instruction ID: d56330631071e0503964f29366756a528e31c537b0520a23e0b3710e1c6a487c
                                                                                                                            • Opcode Fuzzy Hash: 02693c5921bac1e70d139a727fadfdc5fefcc228c56b08ea703de4d60bd5c8ea
                                                                                                                            • Instruction Fuzzy Hash: 7531DFB45083809BC3909F29C08434BBBE5BFD9758F504A1DF9D89B220D7B0E9459F82
                                                                                                                            Function 5FD43760 Relevance: .1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a038fb2f3a901f59d44f1698b874a5bedd92bd44b3fd26a72f251727224fab7e
                                                                                                                            • Instruction ID: 57b00f87431a1aadbb0bcc6d393268031ba8329958cc2811e9cfbfd22c611c32
                                                                                                                            • Opcode Fuzzy Hash: a038fb2f3a901f59d44f1698b874a5bedd92bd44b3fd26a72f251727224fab7e
                                                                                                                            • Instruction Fuzzy Hash: 1731E5B4608B058FD700AF29C58531FBBE2BFA5248F018D2CF9C58B245DB78D9499B92
                                                                                                                            Function 5FD438C0 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f7ae79d6408111699ea2b7e5ce6adcea108dec1a66653b5b02375e4a9c2fe63d
                                                                                                                            • Instruction ID: e1a3fb60e5270059be194004b2aabf7f098e822c8da8728f88d3de36f0802ef2
                                                                                                                            • Opcode Fuzzy Hash: f7ae79d6408111699ea2b7e5ce6adcea108dec1a66653b5b02375e4a9c2fe63d
                                                                                                                            • Instruction Fuzzy Hash: 0F31E5B46087058FD700AF29C58531FBBE2BFE5248F014C2CF9819B345EBB8D9499B92
                                                                                                                            Function 6010BEB0 Relevance: .0, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                            • Instruction ID: 0bbe3a6f458b50a2199c792be51a659fc94345c44d5f6c8a090e553cf46a4c55
                                                                                                                            • Opcode Fuzzy Hash: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                            • Instruction Fuzzy Hash: 07C012B8C047408AC200BF38810A239BAB06B62208F846CACE88013211E736C018866B
                                                                                                                            Function 60109640 Relevance: 19.8, APIs: 13, Instructions: 272timethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 63 60109640-60109664 64 60109852-60109863 _errno 63->64 65 6010966a 63->65 66 60109750-60109762 QueryPerformanceFrequency 65->66 67 60109710-60109717 GetSystemTimeAsFileTime 65->67 68 60109738-60109745 65->68 69 60109818-6010984c GetCurrentProcess GetProcessTimes 65->69 70 60109678-601096ac GetCurrentThread GetThreadTimes 65->70 66->64 72 60109768-6010977a QueryPerformanceCounter 66->72 71 6010971d-60109733 67->71 68->71 69->64 73 601096b2-601096be 69->73 70->64 70->73 74 601096c2-601096ed call 600f5f60 71->74 72->64 76 60109780-601097fb call 600f5ae0 call 600f5800 72->76 73->74 82 601096f0-601096fc 74->82 76->82 87 60109801-6010980e 76->87 84 60109702-60109709 82->84 85 60109868-60109894 call 600fb380 82->85 89 60109957-60109968 _errno 85->89 90 6010989a-6010989c 85->90 87->82 91 6010990b-60109915 89->91 92 601098a2-601098f9 call 600f5f60 90->92 93 60109938-60109942 90->93 94 60109917-6010991d 91->94 95 6010996a-6010998b call 600fb380 91->95 113 60109920-60109930 92->113 114 601098fb 92->114 93->95 96 60109944-60109a65 93->96 104 60109a10-60109a16 _errno 95->104 105 60109991-601099e3 FileTimeToSystemTime 95->105 102 60109be2-60109bee _errno 96->102 103 60109a6b-60109a74 96->103 107 60109bb3-60109bb8 102->107 103->102 108 60109a7a-60109a80 103->108 115 60109a1c-60109a21 104->115 105->104 112 601099e5-601099f3 SetSystemTime 105->112 111 60109bce-60109bd8 107->111 109 60109a82-60109aa0 GetSystemTimeAsFileTime 108->109 110 60109aa3-60109ad2 108->110 109->110 116 60109ad8-60109adc 110->116 117 60109bcc 110->117 118 60109bf6-60109c1e call 600fb380 call 601063d0 111->118 119 60109bda-60109be1 111->119 120 60109a23-60109a2f _errno 112->120 121 601099f5-601099ff 112->121 122 601098ff-60109906 call 60109a40 113->122 114->122 115->121 123 60109ae0-60109afe 116->123 117->111 139 60109c70-60109c75 118->139 140 60109c20-60109c29 118->140 120->115 124 60109a31-60109a36 call 600fb380 121->124 125 60109a01-60109a09 121->125 122->91 128 60109b02 call 60108010 123->128 131 60109b07-60109b0b 128->131 134 60109bc0-60109bc6 131->134 135 60109b11-60109b13 131->135 134->117 137 60109b19-60109b1b 134->137 135->123 138 60109b15 135->138 142 60109b21-60109b6f GetSystemTimeAsFileTime call 600f5ce0 137->142 143 60109ba7-60109bad _errno 137->143 138->137 141 60109c38-60109c4c call 60106420 139->141 140->141 144 60109c2b-60109c2e 140->144 153 60109bf0-60109bf4 142->153 154 60109b71-60109b99 call 600f5f60 142->154 143->107 147 60109c30-60109c36 144->147 148 60109c5e-60109c66 144->148 147->141 149 60109c50-60109c5a 147->149 148->141 149->141 152 60109c5c 149->152 152->148 155 60109ba1-60109ba4 153->155 154->155 155->143
                                                                                                                            APIs
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 60109678
                                                                                                                            • GetThreadTimes.KERNEL32 ref: 601096A1
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32 ref: 60109717
                                                                                                                            • QueryPerformanceFrequency.KERNEL32 ref: 60109757
                                                                                                                            • QueryPerformanceCounter.KERNEL32 ref: 6010976F
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 60109818
                                                                                                                            • GetProcessTimes.KERNEL32 ref: 60109841
                                                                                                                            • _errno.MSVCRT ref: 60109852
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3786581644-0
                                                                                                                            • Opcode ID: 2fea47331962b9d553bb2bc9a876e073b30e9d8e9893e42cb3aff8e70364c078
                                                                                                                            • Instruction ID: c59320bb5cde7a8214e92981d2afc5fc361cc22a45880b0f38441da6abc80e32
                                                                                                                            • Opcode Fuzzy Hash: 2fea47331962b9d553bb2bc9a876e073b30e9d8e9893e42cb3aff8e70364c078
                                                                                                                            • Instruction Fuzzy Hash: 5BB123B55083108FC700DF29C9A564ABFF5FB99355F058A2EE89A97314EB70E944CB82
                                                                                                                            Function 601054A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 158 601054a0-601054bb 159 601055f0-60105600 158->159 160 601054c1-601054c3 158->160 161 601054c5-601054c8 160->161 162 601054ce-601054e6 calloc 160->162 161->162 163 60105608-6010560d 161->163 164 601054ec-60105553 CreateSemaphoreA * 2 162->164 165 6010560f-60105614 162->165 166 60105598-601055a3 163->166 167 60105555-60105557 164->167 168 601055b7-601055b9 164->168 165->166 171 601055a8-601055b4 CloseHandle 167->171 172 60105559-60105596 InitializeCriticalSection * 3 167->172 169 601055c7-601055e5 free 168->169 170 601055bb-601055c4 CloseHandle 168->170 170->169 171->168 172->166
                                                                                                                            APIs
                                                                                                                            • calloc.MSVCRT ref: 601054DD
                                                                                                                            • CreateSemaphoreA.KERNEL32 ref: 6010551F
                                                                                                                            • CreateSemaphoreA.KERNEL32 ref: 60105546
                                                                                                                            • InitializeCriticalSection.KERNEL32 ref: 60105565
                                                                                                                            • InitializeCriticalSection.KERNEL32 ref: 60105570
                                                                                                                            • InitializeCriticalSection.KERNEL32 ref: 6010557B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                                                                                                            • String ID: l
                                                                                                                            • API String ID: 2075313795-2517025534
                                                                                                                            • Opcode ID: 0e6283f79b15ec69e671279e45ce7443bfdc172d70e8a189a3aabfbb06ccdf8c
                                                                                                                            • Instruction ID: 7edd1594622df644546087f8653c0eb5957787507dabdba4b9de3996832f2f19
                                                                                                                            • Opcode Fuzzy Hash: 0e6283f79b15ec69e671279e45ce7443bfdc172d70e8a189a3aabfbb06ccdf8c
                                                                                                                            • Instruction Fuzzy Hash: 2C41ADB19043008FEB00AF28D98835ABFF4FF91314F118A6DD9958B284EB76D458CF82
                                                                                                                            Function 6010BB90 Relevance: 15.2, APIs: 10, Instructions: 232COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 173 6010bb90-6010bbb3 174 6010bbb8-6010bbbc 173->174 175 6010bbc0-6010bbd4 174->175 175->175 176 6010bbd6-6010bbd8 175->176 177 6010bc64-6010bc66 176->177 178 6010bbde-6010bbe4 176->178 181 6010bc2a-6010bc34 177->181 179 6010bc60-6010bc62 178->179 180 6010bbe6-6010bbee 178->180 184 6010bc05-6010bc28 call 6010bd40 call 6010ba50 179->184 185 6010bc50-6010bc56 180->185 186 6010bbf0 180->186 182 6010bc72-6010bc82 call 600fb380 181->182 183 6010bc36-6010bc3d 181->183 202 6010bcb0-6010bcb2 182->202 203 6010bc84-6010bc8c 182->203 184->174 184->181 185->184 187 6010bc40-6010bc42 186->187 188 6010bbf2-6010bbf5 186->188 191 6010bc44-6010bc4d 187->191 192 6010bc6d 187->192 188->191 193 6010bbf7-6010bbfa 188->193 191->184 196 601af820-601af82a 192->196 197 6010bc68 193->197 198 6010bbfc-6010bc03 193->198 204 601af82c abort 196->204 205 601af831-601af842 call 600fb380 196->205 197->196 198->184 207 6010bcd8-6010bce3 call 600f8c80 203->207 208 6010bc8e 203->208 204->205 223 601af849-601af86f call 600fb380 call 601adce0 call 601aa710 call 601adce0 call 601adf70 205->223 224 601af844 abort 205->224 211 6010bca0-6010bca2 208->211 212 6010bc90-6010bc92 208->212 214 6010bca4-6010bcaf call 600f8c40 211->214 215 6010bcc8-6010bcca 211->215 217 6010bc94-6010bc9f call 600f8c90 212->217 218 6010bcb8 212->218 222 6010bcbe-6010bcc3 215->222 225 6010bccc 215->225 221 601af818-601af81f abort 218->221 218->222 221->196 239 601af8e2-601af8e5 223->239 240 601af871 223->240 224->223 225->221 241 601af873-601af893 call 6010bac0 call 6010bb90 239->241 240->241 246 601af907-601af911 241->246 247 601af895-601af8aa call 6010bb90 241->247 248 601af913 call 601ae1b0 246->248 249 601af925 call 600fb380 246->249 254 601af918-601af920 call 6010be90 call 600fb380 247->254 255 601af8ac-601af8c8 call 601adc80 247->255 248->254 256 601af92a-601af977 call 600fb380 abort call 601adce0 abort call 601adc80 call 601ae210 249->256 254->249 255->256 265 601af8ca-601af8dd call 601ae210 255->265 273 601afa29-601afa33 call 601adce0 call 601ade30 256->273 274 601af97d-601af9e2 call 601adce0 fwrite fputs fputc call 601ade30 256->274 265->239 282 601af9e7-601af9f1 273->282 274->282 283 601af9f3-601afa0a abort free 282->283 284 601afa24 call 600fb380 282->284 283->284 286 601afa0c-601afa22 call 601ae1b0 call 601ade30 283->286 284->273 286->284 295 601afa35-601afa48 call 600f8f90 call 601a3cf0 286->295
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c4848d57866a5fbade6eb627c0b36e016d7a4ab419713f9d9a5bdce57df3c186
                                                                                                                            • Instruction ID: 9ef341c5eac0449a8a9f6e3367a282677d5c61f765bbe002ef9ff2646368e72c
                                                                                                                            • Opcode Fuzzy Hash: c4848d57866a5fbade6eb627c0b36e016d7a4ab419713f9d9a5bdce57df3c186
                                                                                                                            • Instruction Fuzzy Hash: 8D71BFB55482088FD700EFB8C4C276EBBE5AF72308F41881CE8D697255DF7898459BA3
                                                                                                                            Function 60105620 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 299 60105620-6010563f 300 60105850-60105861 call 6005fdb0 299->300 301 60105645-60105654 call 60107ac0 299->301 306 60105863-60105868 300->306 307 60105898-601058b2 WaitForSingleObject 300->307 308 60105710-60105718 301->308 309 6010565a 301->309 310 60105890 306->310 311 6010586a-6010586c 306->311 315 601058b8-601058ba 307->315 316 601057a9-601057b3 307->316 313 6010571a-60105732 call 6005fdb0 308->313 314 6010576d-60105782 call 6005fdb0 308->314 312 6010565e-6010567f call 6005fe90 309->312 310->307 317 60105872-60105874 311->317 318 601057a4 311->318 331 601058c0 312->331 332 60105685 312->332 333 601057c8-601057cf 313->333 334 60105738-6010573d 313->334 329 60105820-60105827 call 60107c90 314->329 330 60105788-6010578d 314->330 315->316 322 601058f5-60105943 call 600fb380 EnterCriticalSection LeaveCriticalSection 316->322 323 601057b9-601057c2 316->323 317->316 318->316 349 60105945-60105950 322->349 350 60105958-60105980 call 60105620 EnterCriticalSection 322->350 368 601058e0-601058e5 329->368 369 6010582d-6010584b WaitForSingleObject 329->369 338 60105760-60105767 call 60107c90 330->338 339 6010578f-60105791 330->339 356 601058d0-601058d5 331->356 340 601056c0-601056ca 332->340 341 60105687-60105689 332->341 335 601057d1-601057d8 call 60107c90 333->335 336 60105752-60105757 333->336 342 601057e0-601057e2 334->342 343 60105743-60105747 334->343 335->336 372 601057de 335->372 336->316 359 60105759 336->359 338->314 338->368 353 60105814-60105816 339->353 354 60105797-6010579e call 60107c90 339->354 345 60105880 340->345 346 601056d0-601056ea WaitForSingleObject 340->346 341->353 355 6010568f-60105692 341->355 351 601057e4-601057eb call 60107c90 342->351 352 601057f8-6010580e WaitForSingleObject 342->352 343->316 357 60105749-60105750 343->357 345->310 346->353 365 601056f0-601056f5 346->365 380 60105982-60105993 LeaveCriticalSection 350->380 381 60105998-601059a0 350->381 351->318 383 601057ed-601057ef 351->383 352->353 352->356 353->316 354->318 354->368 355->345 363 60105698-601056ad ResetEvent 355->363 356->336 357->335 357->336 360 60105759 call 60107e30 359->360 370 6010575e 360->370 375 601056b3 363->375 376 601058eb 363->376 365->316 371 601056fb-60105702 call 60107c90 365->371 368->318 368->376 369->316 370->316 371->316 387 60105708 371->387 372->318 378 601056b3 call 60107e30 375->378 379 601058eb call 60107e30 376->379 386 601056b8 378->386 384 601058f0 379->384 381->380 383->313 384->318 386->312 387->318
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 60107AC0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000030,76ECE820), ref: 60107AD0
                                                                                                                              • Part of subcall function 6005FE90: WaitForMultipleObjects.KERNEL32 ref: 6005FF03
                                                                                                                            • ResetEvent.KERNEL32 ref: 6010569F
                                                                                                                              • Part of subcall function 60107E30: TlsGetValue.KERNEL32(?,?,00000000,?,60108065,?,?,?,?,431BDE83,60109B07), ref: 60107E42
                                                                                                                            • WaitForSingleObject.KERNEL32 ref: 601056DF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ValueWait$EventMultipleObjectObjectsResetSingle
                                                                                                                            • String ID: (
                                                                                                                            • API String ID: 2327612466-3887548279
                                                                                                                            • Opcode ID: 4ebc119da155c49f59ebdbacd7c579b7450db81afa7f78fe8fc0b05c28c767ec
                                                                                                                            • Instruction ID: c422243c268639035ee8e34d720339e148f68d8d4d3d43b71a4fc7ad1e328bac
                                                                                                                            • Opcode Fuzzy Hash: 4ebc119da155c49f59ebdbacd7c579b7450db81afa7f78fe8fc0b05c28c767ec
                                                                                                                            • Instruction Fuzzy Hash: AD61AF31908311CBD710AF69864931BBEE5AFB1745F51882EE9C687240EF71DC84ABA3
                                                                                                                            Function 5FDF7610 Relevance: 12.4, APIs: 3, Strings: 5, Instructions: 406stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 403 5fdf7610-5fdf7655 404 5fdf765b-5fdf765d 403->404 405 5fdf79e0-5fdf79e8 403->405 406 5fdf765f-5fdf7667 404->406 407 5fdf76a0-5fdf76b5 404->407 408 5fdf79f5-5fdf7a15 call 5fe712f0 405->408 409 5fdf766d-5fdf7683 406->409 410 5fdf7be0-5fdf7bf0 406->410 411 5fdf76b7-5fdf76c7 407->411 419 5fdf7a1b-5fdf7a24 408->419 420 5fdf7870 408->420 409->411 413 5fdf7685-5fdf7695 409->413 410->411 414 5fdf76ea-5fdf7710 411->414 415 5fdf76c9-5fdf76d4 411->415 413->411 418 5fdf7714-5fdf7765 call 600f5f60 414->418 415->414 417 5fdf76d6-5fdf76e6 415->417 417->414 426 5fdf7767-5fdf77cb strlen 418->426 424 5fdf7a46-5fdf7a56 419->424 425 5fdf7a26-5fdf7a2b 419->425 423 5fdf7872-5fdf7879 420->423 428 5fdf7a5c 424->428 429 5fdf7845-5fdf784d 424->429 425->420 427 5fdf7a31-5fdf7a41 memcpy 425->427 430 5fdf77d1-5fdf77e8 426->430 431 5fdf7990-5fdf7996 426->431 427->424 432 5fdf7a60-5fdf7a6e 428->432 433 5fdf784f-5fdf7854 429->433 434 5fdf7890 429->434 435 5fdf79ae-5fdf79d1 call 5fdf6700 430->435 436 5fdf77ee-5fdf77f7 430->436 438 5fdf799c-5fdf79a8 431->438 439 5fdf7a73-5fdf7a75 431->439 432->429 440 5fdf7856-5fdf785c 433->440 441 5fdf7810-5fdf781d 433->441 437 5fdf7894-5fdf789a 434->437 435->436 457 5fdf79d7 435->457 436->437 442 5fdf77fd-5fdf7807 436->442 444 5fdf789c-5fdf78af 437->444 445 5fdf78d5-5fdf78e4 437->445 438->435 438->436 446 5fdf7a7b-5fdf7a8a 439->446 447 5fdf7c51 439->447 440->420 449 5fdf785e-5fdf786b 440->449 441->420 443 5fdf781f-5fdf7824 441->443 442->433 450 5fdf7826-5fdf7828 443->450 451 5fdf7880-5fdf7882 443->451 452 5fdf78b0-5fdf78ca call 5fdf6700 444->452 453 5fdf78fd-5fdf7918 call 5fdf6700 445->453 454 5fdf7acc-5fdf7ad1 446->454 449->450 456 5fdf786d 449->456 463 5fdf782e-5fdf7830 450->463 464 5fdf7920-5fdf7926 450->464 459 5fdf783d-5fdf7842 451->459 460 5fdf7884-5fdf788c 451->460 452->420 479 5fdf78cc-5fdf78cf 452->479 475 5fdf791a 453->475 476 5fdf78f0-5fdf78f5 453->476 461 5fdf7ad3-5fdf7ad9 454->461 462 5fdf7a90-5fdf7a96 454->462 456->420 457->420 459->429 460->433 467 5fdf788e 460->467 461->420 469 5fdf7adf-5fdf7ae5 461->469 462->420 472 5fdf7a9c-5fdf7aa1 462->472 463->429 470 5fdf7832-5fdf7837 463->470 464->420 468 5fdf792c-5fdf7947 464->468 467->434 468->408 477 5fdf794d-5fdf796b call 5fe713c0 468->477 469->420 478 5fdf7aeb-5fdf7aed 469->478 470->432 470->459 473 5fdf7aa7-5fdf7aa9 472->473 474 5fdf7b50-5fdf7b52 472->474 482 5fdf7aef-5fdf7af5 473->482 483 5fdf7aab-5fdf7aad 473->483 480 5fdf7aba-5fdf7abf 474->480 481 5fdf7b58 474->481 475->420 486 5fdf78fb 476->486 487 5fdf7bf5-5fdf7bfb 476->487 477->420 496 5fdf7971-5fdf7985 477->496 478->482 478->483 479->452 485 5fdf78d1 479->485 488 5fdf7ac3-5fdf7ac6 480->488 481->488 482->420 491 5fdf7afb-5fdf7b12 482->491 483->488 489 5fdf7aaf-5fdf7ab4 483->489 485->445 486->453 492 5fdf7bfd-5fdf7c0c 487->492 493 5fdf7c36-5fdf7c3b 487->493 488->454 495 5fdf7c40-5fdf7c44 488->495 489->480 494 5fdf7bc4-5fdf7bd3 489->494 497 5fdf7b14-5fdf7b32 call 5fe713c0 491->497 498 5fdf7b60-5fdf7b80 call 5fe712f0 491->498 499 5fdf7c15-5fdf7c2f call 5fdf6700 492->499 493->423 494->488 495->447 496->431 497->420 509 5fdf7b38-5fdf7b49 497->509 498->420 508 5fdf7b86-5fdf7b91 498->508 506 5fdf7c31 499->506 507 5fdf7c10-5fdf7c13 499->507 506->420 507->493 507->499 510 5fdf7bb5-5fdf7bbe 508->510 511 5fdf7b93-5fdf7b98 508->511 509->483 510->488 510->494 511->420 512 5fdf7b9e-5fdf7bae memcpy 511->512 512->510
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: strlen
                                                                                                                            • String ID: $ $+$0123456789ABCDEF$0123456789abcdef
                                                                                                                            • API String ID: 39653677-2690344263
                                                                                                                            • Opcode ID: 97829f6efac3e2ea013104594e564dc57c766ad7eb63c04ec56ab80b422479fd
                                                                                                                            • Instruction ID: e0708bb3156c35da24f7a7fb3295dc3751d09ca11a5462b185f6ce93aefae541
                                                                                                                            • Opcode Fuzzy Hash: 97829f6efac3e2ea013104594e564dc57c766ad7eb63c04ec56ab80b422479fd
                                                                                                                            • Instruction Fuzzy Hash: 670239B46093418FD790CF28C080B9ABBE1BF89748F198D2DE8D99B352D775E941CB52
                                                                                                                            Function 5FDEFC10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 303COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 513 5fdefc10-5fdefc39 call 5fe70580 516 5fdefc3b 513->516 517 5fdefc50-5fdefc60 call 5fe84f80 513->517 518 5fdefc3d-5fdefc46 516->518 521 5fdefc66-5fdefc6b 517->521 522 5fdeff00-5fdeff1e call 5fe71180 517->522 524 5fdefc6d-5fdefc72 521->524 525 5fdefcd0-5fdefcd5 521->525 522->516 530 5fdeff24-5fdeff44 call 5fe712f0 522->530 526 5fdefcd7-5fdefce7 call 5fe84f80 524->526 527 5fdefc74-5fdefc7a 524->527 525->526 525->527 539 5fdefced-5fdefcfb call 5febd650 526->539 540 5fdefe50-5fdefe66 call 5fdef8f0 526->540 531 5fdefc80-5fdefc83 527->531 532 5fdf0020-5fdf003e call 5fe84f80 527->532 550 5fdeff46-5fdeff6e call 5ff84530 call 5fe84fc0 530->550 551 5fdeff74-5fdeff8e call 5fe713a0 530->551 536 5fdefc89-5fdefc8c 531->536 537 5fdf0090-5fdf00a6 531->537 545 5fdf00ca-5fdf0107 call 5fe3beb0 call 5fe3bfc0 call 5fe3c340 532->545 546 5fdf0044-5fdf0077 call 5fe713a0 call 5febd400 532->546 542 5fdefc92-5fdefc97 536->542 543 5fdf00b0-5fdf00bd call 5fe3beb0 536->543 537->518 566 5fdefe80-5fdefe85 539->566 567 5fdefd01-5fdefd0a 539->567 564 5fdefe8c-5fdefe98 540->564 565 5fdefe68-5fdefe74 call 5fe84f80 540->565 542->516 544 5fdefc99-5fdefcab call 5fe6c050 542->544 543->545 570 5fdefda0-5fdefdf0 call 5fe3beb0 call 5fe3bfc0 call 5fe3c340 call 5fe84f80 544->570 571 5fdefcb1-5fdefccd SwitchToFiber call 5fe6c050 544->571 585 5fdf007c-5fdf008a 545->585 546->585 550->521 550->551 551->518 564->518 565->566 574 5fdefe87-5fdefe8a 566->574 575 5fdefea0-5fdefeb0 566->575 576 5fdefe40-5fdefe47 567->576 577 5fdefd10-5fdefd37 call 5fe712f0 567->577 622 5fdefdf6-5fdefe3f call 5fe713a0 call 5febd400 570->622 623 5fdeff93-5fdeffd0 call 5fe3beb0 call 5fe3bfc0 call 5fe3c340 570->623 571->525 574->564 574->575 580 5fdefeb7 call 5fe714d0 575->580 583 5fdefd58-5fdefd93 call 5fe6c100 SwitchToFiber call 5fe6c050 576->583 594 5fdf010c-5fdf011c call 5fe84f80 577->594 595 5fdefd3d-5fdefd55 memcpy 577->595 589 5fdefebc-5fdefec0 580->589 583->525 585->518 589->564 596 5fdefec2-5fdefeed CreateFiber 589->596 609 5fdf011e-5fdf0149 call 5fe713a0 call 5febd400 594->609 610 5fdf015c-5fdf0199 call 5fe3beb0 call 5fe3bfc0 call 5fe3c340 594->610 595->583 600 5fdeffd5-5fdf0016 call 5fe713a0 DeleteFiber call 5fe713a0 596->600 601 5fdefef3 596->601 600->564 601->522 628 5fdf014e-5fdf0157 609->628 610->628 623->600 628->518
                                                                                                                            APIs
                                                                                                                            • SwitchToFiber.KERNEL32(?,?,?,?,5FD41CE1,5FD570E0,?,5FD5742C,?,?,?,?,?,?,?,?), ref: 5FDEFCB9
                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,5FD41CE1,5FD570E0,?,5FD5742C,?,?,?,?,?,?,?), ref: 5FDEFD50
                                                                                                                            • SwitchToFiber.KERNEL32(?,?,?,?,?,5FD41CE1,5FD570E0,?,5FD5742C,?,?,?,?,?,?,?), ref: 5FDEFD7C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FiberSwitch$memcpy
                                                                                                                            • String ID: `
                                                                                                                            • API String ID: 148397844-2679148245
                                                                                                                            • Opcode ID: 35c0ee7c776e1f06caf183644f5104398f850240c7f543d02ff5076c6beb2aec
                                                                                                                            • Instruction ID: 0cb666c6ffe55fd91d05f211c6d19ce2558ebb5f8b0c2e790d3f1248d47f6f0b
                                                                                                                            • Opcode Fuzzy Hash: 35c0ee7c776e1f06caf183644f5104398f850240c7f543d02ff5076c6beb2aec
                                                                                                                            • Instruction Fuzzy Hash: 23D1E3F09097059FD740AFA4D48475AFBE0AF80784F11881EE9D89B345DB79E884CBD2
                                                                                                                            Function 60107E30 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 60106AD0: TlsAlloc.KERNEL32(?,?,00000000,6010801E,?,?,?,431BDE83,60109B07), ref: 60106B04
                                                                                                                            • TlsGetValue.KERNEL32(?,?,00000000,?,60108065,?,?,?,?,431BDE83,60109B07), ref: 60107E42
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1189806713-0
                                                                                                                            • Opcode ID: e3ce71bb5d30215f923c9c174376ee40cc7e985438380fc2c9ea4245201e3296
                                                                                                                            • Instruction ID: 5e3a0cdc6fa112918debd290d251a3a694c09928b0358224df1f3fa547e2e326
                                                                                                                            • Opcode Fuzzy Hash: e3ce71bb5d30215f923c9c174376ee40cc7e985438380fc2c9ea4245201e3296
                                                                                                                            • Instruction Fuzzy Hash: ED41A3B1A056124BDB00BF7CD98622A7FE5AF35258F114A6AE8E2C7245FF34DC44C792
                                                                                                                            Function 601066E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 723 601066e0-6010677a GetCurrentThreadId call 6010a980 OutputDebugStringA abort call 601063d0 728 60106780-60106782 723->728 729 60106818-6010681a 723->729 728->729 730 60106788 728->730 731 6010679d-6010679f 729->731 732 60106790-60106797 730->732 733 601067f0-60106811 fprintf 731->733 734 601067a1-601067a5 731->734 732->733 735 60106799-6010679b 732->735 737 601067a7-601067b8 call 60106420 733->737 736 601067c0-601067d0 call 6005f980 734->736 734->737 735->731 735->732 743 601067d2 736->743 744 601067df-601067e4 736->744 745 601067d5-601067dd free 743->745 744->745 745->737
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDebugOutputStringThreadabortfprintf
                                                                                                                            • String ID: 5
                                                                                                                            • API String ID: 4086887302-2226203566
                                                                                                                            • Opcode ID: 251645aa667073a5a7bca6eab513fb9b4fd3832eff6762d89c5595a99b5b2c6d
                                                                                                                            • Instruction ID: 26819d062dabf731259c4114b8aa0709b54eceafdffb1e58d1c583f6c49f4007
                                                                                                                            • Opcode Fuzzy Hash: 251645aa667073a5a7bca6eab513fb9b4fd3832eff6762d89c5595a99b5b2c6d
                                                                                                                            • Instruction Fuzzy Hash: 3D3170B18087198BDB00AF74C88575EBFF4BF75348F02892DE4DAA7210EB7095C48B92
                                                                                                                            Function 60107BB0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 746 60107bb0-60107bcb call 60106cc0 749 60107bd2-60107bd6 746->749 750 60107bcd call 60106cf0 746->750 752 60107bd8-60107be6 longjmp 749->752 753 60107bec-60107bff TlsGetValue 749->753 750->749 752->753 754 60107c01-60107c08 753->754 755 60107c2d-60107c30 _endthreadex 753->755 756 60107c0a-60107c16 754->756 757 60107c6d-60107c75 754->757 758 60107c36-60107c4b CloseHandle 755->758 761 60107c22-60107c2b 756->761 762 60107c18-60107c21 CloseHandle 756->762 759 60107c81-60107c89 757->759 760 60107c77-60107c80 CloseHandle 757->760 763 60107c4e-60107c6b call 60106ab0 TlsSetValue 758->763 759->763 760->759 761->755 761->758 762->761 763->755
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 60106B90: TlsGetValue.KERNEL32 ref: 60106CD0
                                                                                                                            • longjmp.MSVCRT ref: 60107BE6
                                                                                                                            • TlsGetValue.KERNEL32(?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE,?,?,?,00000000,?), ref: 60107BF4
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE,?,?,?,00000000), ref: 60107C1B
                                                                                                                            • _endthreadex.MSVCRT(?,?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE,?,?,?,00000000), ref: 60107C30
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE,?,?,?,00000000), ref: 60107C42
                                                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE), ref: 60107C63
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,0000001C,60107D9F,?,?,?,?,00000000,60107EDE,?,?,?,00000000), ref: 60107C7A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleValue$_endthreadexlongjmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3990644698-0
                                                                                                                            • Opcode ID: ee4da86553632e7a45094ee8479a2a3d9a79640ada998cc39344f75b3c1706f2
                                                                                                                            • Instruction ID: 62f906a5c179417917e2deda9633aab3d14f5f23962021d818915c641dfe9281
                                                                                                                            • Opcode Fuzzy Hash: ee4da86553632e7a45094ee8479a2a3d9a79640ada998cc39344f75b3c1706f2
                                                                                                                            • Instruction Fuzzy Hash: 4E21E0B0A043118FEB04AF34CA886167FF8FF29705F015869ED86DB256EB34D884CB95
                                                                                                                            Function 601ADBF0 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2803490479-0
                                                                                                                            • Opcode ID: ad3519d4c694ca1c63622cdb058c1d32ae96150af9951ab6f35b17c88fd93de4
                                                                                                                            • Instruction ID: bac88e288b0d66e7072643aea08eb906221ca75260444a391c424dd4be8ea641
                                                                                                                            • Opcode Fuzzy Hash: ad3519d4c694ca1c63622cdb058c1d32ae96150af9951ab6f35b17c88fd93de4
                                                                                                                            • Instruction Fuzzy Hash: B2212AB86087119FD700BFB8C58672EBAE4AF75318F41881CF4D99B255DFB488819B63
                                                                                                                            Function 5FDEF8F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: `$e
                                                                                                                            • API String ID: 0-2074502723
                                                                                                                            • Opcode ID: a047fd0ee7b64d5746b6d6ae0fe75606e4abe076a89644556af7c12c65941d9a
                                                                                                                            • Instruction ID: 8008e8f08cf7f2e400ca12f559c565b5ce0525f327f48892dfc7228fdac3e959
                                                                                                                            • Opcode Fuzzy Hash: a047fd0ee7b64d5746b6d6ae0fe75606e4abe076a89644556af7c12c65941d9a
                                                                                                                            • Instruction Fuzzy Hash: 6371C9F090A702ABD740AFA5D88475EFBE4AF90784F01882DE5C99B341DBB9D444CB92
                                                                                                                            Function 60109E70 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • calloc.MSVCRT ref: 60109E98
                                                                                                                            • free.MSVCRT ref: 60109F27
                                                                                                                            • free.MSVCRT ref: 60109F4F
                                                                                                                              • Part of subcall function 601054A0: calloc.MSVCRT ref: 601054DD
                                                                                                                              • Part of subcall function 601054A0: CreateSemaphoreA.KERNEL32 ref: 6010551F
                                                                                                                              • Part of subcall function 601054A0: CreateSemaphoreA.KERNEL32 ref: 60105546
                                                                                                                              • Part of subcall function 601054A0: InitializeCriticalSection.KERNEL32 ref: 60105565
                                                                                                                              • Part of subcall function 601054A0: InitializeCriticalSection.KERNEL32 ref: 60105570
                                                                                                                              • Part of subcall function 601054A0: InitializeCriticalSection.KERNEL32 ref: 6010557B
                                                                                                                            • free.MSVCRT ref: 60109F97
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInitializeSectionfree$CreateSemaphorecalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3430360044-3916222277
                                                                                                                            • Opcode ID: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                            • Instruction ID: f681e9733249179a460645853236154a50bd58e9669c7f28a092c17cbd89ed73
                                                                                                                            • Opcode Fuzzy Hash: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                            • Instruction Fuzzy Hash: B93150B16087018FD700AF25E49435FFBE4EFA5318F05882DE4C88B241DB3AC859CB92
                                                                                                                            Function 60109A40 Relevance: 6.2, APIs: 4, Instructions: 165timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$FileSystem_errno
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3586254970-0
                                                                                                                            • Opcode ID: b57e279f7cfadc165d5d724e077a52454ae0938463069838105dc755f9cb1f0e
                                                                                                                            • Instruction ID: 2761881cb6ab089d39e58f2beb490476caa21fdea11465784c5ad1c30cdaafa5
                                                                                                                            • Opcode Fuzzy Hash: b57e279f7cfadc165d5d724e077a52454ae0938463069838105dc755f9cb1f0e
                                                                                                                            • Instruction Fuzzy Hash: A2516C72A083148FD700DF29D5A460ABFE5FFE9324F118A2DE8D997354EB70D9458B82
                                                                                                                            Function 6010BD40 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • abort.MSVCRT(?,?,?,?,?,?,6010BC17), ref: 601AF810
                                                                                                                            • abort.MSVCRT(?,?,?,?,?,?,6010BB6C), ref: 601AF818
                                                                                                                            • abort.MSVCRT(?,?,?,?,?,?,6010BC17), ref: 601AF82C
                                                                                                                            • abort.MSVCRT(?,?,?,?,?,?,6010BC17), ref: 601AF844
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4206212132-0
                                                                                                                            • Opcode ID: 96f302cdd6ce67b7ffcaaacc7cf19395fbe3e5a031512917133b22038397043c
                                                                                                                            • Instruction ID: 203e78c63486c3c3d2cdb0dc7dc01c2b57d84081330e5c849b1d6592b2522bd8
                                                                                                                            • Opcode Fuzzy Hash: 96f302cdd6ce67b7ffcaaacc7cf19395fbe3e5a031512917133b22038397043c
                                                                                                                            • Instruction Fuzzy Hash: 1741E3762442088FC700DFA8D4C169ABBE5FFB231CF14896DE4954B319DB35D846DBA2
                                                                                                                            Function 6005FB30 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryPerformanceCounter.KERNEL32 ref: 6005FB60
                                                                                                                            • GetTickCount.KERNEL32 ref: 6005FB6D
                                                                                                                            • QueryPerformanceFrequency.KERNEL32 ref: 6005FBD7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PerformanceQuery$CountCounterFrequencyTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 713402817-0
                                                                                                                            • Opcode ID: 57583fab87492638b89bca59925f7f98d8c98e0177507865d352d479446f82b2
                                                                                                                            • Instruction ID: 1a8a53fc4595fee0d349c8a4a1e1c10cd981ec5f5ddc986a3c645d1e5fad7d22
                                                                                                                            • Opcode Fuzzy Hash: 57583fab87492638b89bca59925f7f98d8c98e0177507865d352d479446f82b2
                                                                                                                            • Instruction Fuzzy Hash: E93137B4908315CFCB04EF38C69471ABFE8BB99314F41892CE89997258E734E849DF52
                                                                                                                            Function 5FE3BFC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: strlen$strcpy
                                                                                                                            • String ID: B
                                                                                                                            • API String ID: 2790333442-1255198513
                                                                                                                            • Opcode ID: ebf9d32c268252c659f9ac48fe57a3a08115dd4aaee3bc2b819bb6a7a29ede3a
                                                                                                                            • Instruction ID: 0846cc0ab01e732e2374dde5cdac08b9da09199131f70111b20dedacac8e4c34
                                                                                                                            • Opcode Fuzzy Hash: ebf9d32c268252c659f9ac48fe57a3a08115dd4aaee3bc2b819bb6a7a29ede3a
                                                                                                                            • Instruction Fuzzy Hash: A62151F1C097809FD700AF68C48839EBBE1FF80344F55486DE8884B246DB79E444CB92
                                                                                                                            Function 6018A400 Relevance: 5.1, APIs: 4, Instructions: 133COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 6018A49E
                                                                                                                            • memmove.MSVCRT(?,?,?,?,?,00000000,00000000,?,?,5FD47F62), ref: 6018A4BE
                                                                                                                            • memset.MSVCRT ref: 6018A5B4
                                                                                                                              • Part of subcall function 601ADBF0: malloc.MSVCRT ref: 601ADC07
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$mallocmemmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1346079573-0
                                                                                                                            • Opcode ID: ba879e1c7431c88a95b28e5252625e6136a3407af7295f23a7b91fefd3d64413
                                                                                                                            • Instruction ID: 4ba28b915a4310d025d9c1fa93836e731b93cede54904e8285c87dfa14e5e5ff
                                                                                                                            • Opcode Fuzzy Hash: ba879e1c7431c88a95b28e5252625e6136a3407af7295f23a7b91fefd3d64413
                                                                                                                            • Instruction Fuzzy Hash: FE5119B56087028FC704DF29D58061BFBE1AFE8754F14892EE8988B355DB31D949CB92
                                                                                                                            Function 60105B50 Relevance: 5.1, APIs: 4, Instructions: 85COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,?,6010A59B), ref: 60105B96
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,?,6010A59B), ref: 60105C26
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3168844106-0
                                                                                                                            • Opcode ID: 2e8ac706a73c4234d491d245d827f0df91d5599a471f9f4ea7e216a35b7902fe
                                                                                                                            • Instruction ID: 45a846178ddf3d10cb04d2043bd9419139ce4eb8680d441a1c8300afb444a6ef
                                                                                                                            • Opcode Fuzzy Hash: 2e8ac706a73c4234d491d245d827f0df91d5599a471f9f4ea7e216a35b7902fe
                                                                                                                            • Instruction Fuzzy Hash: 28318EB15083008FEB04EF28D9C465B7BE5FF55314F448569EC968F249EB31E985CB92
                                                                                                                            Function 60105900 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,00000030,00000050,?,60105BD1), ref: 60105920
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60105BD1), ref: 6010593C
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60105BD1), ref: 60105979
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,60105BD1), ref: 60105985
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1871066382.000000005FD41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FD40000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.1871046866.000000005FD40000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873114664.00000000601B9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.00000000601C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1873150408.000000006028E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874104014.0000000060375000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874133695.0000000060376000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874159430.0000000060377000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.1874183755.000000006037B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_5fd40000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3168844106-0
                                                                                                                            • Opcode ID: b867a2c81ccb9d15dcdd6dbfdc4eba379914672f183d896c09f36bb92d52b98b
                                                                                                                            • Instruction ID: 6ff5fbcd3e8c74e5daf829cf1ff9f686d2dca10b83263c1c6614d689e6dafd94
                                                                                                                            • Opcode Fuzzy Hash: b867a2c81ccb9d15dcdd6dbfdc4eba379914672f183d896c09f36bb92d52b98b
                                                                                                                            • Instruction Fuzzy Hash: 6A1103B5A087118FC700EF39E98550BBBF4EF99665F02092DE9C997311E631E8588B93

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:7.1%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:86
                                                                                                                            Total number of Limit Nodes:7
                                                                                                                            execution_graph 6305 fc1f9e 6306 fc1fa4 6305->6306 6307 fc1fa9 6305->6307 6308 bfbe64 ResumeThread 6306->6308 6308->6307 6280 fe073a 6282 fe0690 6280->6282 6281 fe0766 SleepEx 6281->6282 6282->6281 6283 fe07bc 6282->6283 6309 fc1218 PostThreadMessageW 6310 fc1241 6309->6310 6311 12e0a4a 6312 12e0a56 6311->6312 6313 12e0a6f 6312->6313 6315 12e0d60 6312->6315 6316 12e0d74 6315->6316 6317 12e0dab 6315->6317 6316->6317 6319 bfb970 6316->6319 6317->6313 6320 bfb976 6319->6320 6325 bfba0c 6320->6325 6322 bfb98d 6323 bfb998 6322->6323 6324 bfbe64 ResumeThread 6322->6324 6323->6317 6324->6323 6326 bfba1d 6325->6326 6327 bfba6b 6326->6327 6330 abb18e 6326->6330 6334 abb190 6326->6334 6331 abb190 CreateThread 6330->6331 6333 abb1f5 6331->6333 6333->6327 6335 abb1ad CreateThread 6334->6335 6337 abb1f5 6335->6337 6337->6327 6284 aba4e2 6287 aba4e4 6284->6287 6285 aba598 RtlUnwind 6286 aba5c5 6285->6286 6287->6285 6287->6286 6288 ab9a60 6289 ab9a6a 6288->6289 6290 ab9aa1 6289->6290 6291 ab9ac4 Sleep 6289->6291 6291->6290 6292 b14f3c 6293 b14f5b RegOpenKeyExW RegQueryValueExW 6292->6293 6338 fc150c 6341 fc1688 6338->6341 6343 fc16b3 6341->6343 6342 fc1710 6343->6342 6345 fc1150 6343->6345 6346 fc1176 6345->6346 6347 fc11bf 6346->6347 6349 bfbe64 ResumeThread 6346->6349 6350 fc124c 6346->6350 6347->6347 6349->6347 6357 fc1138 6350->6357 6353 fc1138 SetServiceStatus 6354 fc12a6 6353->6354 6354->6353 6355 fc132c 6354->6355 6356 bfb970 3 API calls 6356->6354 6358 fc114c 6357->6358 6359 fc1147 6357->6359 6358->6356 6361 fc1034 6359->6361 6363 fc1060 SetServiceStatus 6361->6363 6364 fc10f0 6363->6364 6365 abb498 6366 abb4a0 SysAllocStringLen 6365->6366 6367 abb318 6365->6367 6368 abb2b0 6366->6368 6369 abae18 6370 abae1f 6369->6370 6372 abae2f 6370->6372 6373 abb734 6370->6373 6374 abb738 6373->6374 6377 abb2b0 6373->6377 6375 abb318 6374->6375 6376 abb74b SysReAllocStringLen 6374->6376 6375->6370 6376->6377 6377->6370 6378 abb158 6379 abb160 6378->6379 6380 abb182 6379->6380 6382 abb208 6379->6382 6383 abb21c RtlExitUserThread 6382->6383 6384 abb214 6382->6384 6383->6380 6384->6383 6295 bfbf2a SetThreadPriority 6296 bfbf53 6295->6296 6297 bfbd28 6298 bfbd3a 6297->6298 6299 bfbd30 6297->6299 6301 bfbe64 6299->6301 6302 bfbe6c 6301->6302 6304 bfbe8e 6301->6304 6303 bfbe78 ResumeThread 6302->6303 6302->6304 6303->6304 6304->6298

                                                                                                                            Executed Functions

                                                                                                                            Function 00AB9A60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 ab9a60-ab9a68 1 ab9a6a-ab9a71 0->1 2 ab9a73-ab9a76 0->2 1->2 3 ab9ad4-ab9add call ab9b28 1->3 4 ab9a78-ab9a7d 2->4 5 ab9a7f 2->5 8 ab9ae2-ab9ae7 3->8 7 ab9a81-ab9a9f 4->7 5->7 9 ab9aaa-ab9ac2 7->9 10 ab9aa1-ab9aa8 7->10 13 ab9ae9 8->13 14 ab9aef-ab9af0 8->14 11 ab9acd-ab9ad2 9->11 12 ab9ac4-ab9acb Sleep 9->12 10->8 11->8 12->8 13->14
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00000000,?,00AB9B19,?,?,00AB9D58), ref: 00AB9AC6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID: gfff$gfff
                                                                                                                            • API String ID: 3472027048-3084402119
                                                                                                                            • Opcode ID: 9f1e43effc7a010bc6809c9f1b0b16363ed498e7fad0660bdea2e40cbdce2e27
                                                                                                                            • Instruction ID: b23f26bffad92944fe86b5d6fae07191211b7816e61e99b481ab041d29b60a96
                                                                                                                            • Opcode Fuzzy Hash: 9f1e43effc7a010bc6809c9f1b0b16363ed498e7fad0660bdea2e40cbdce2e27
                                                                                                                            • Instruction Fuzzy Hash: CA01FC307045004FDB6C9A3DA9917EA259FF785341F64423DEB06CD2CBE57498428243
                                                                                                                            Function 00B14F3C Relevance: 3.0, APIs: 2, Instructions: 49registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 17 b14f3c-b14f5d 19 b14f7f-b14fee RegOpenKeyExW RegQueryValueExW 17->19 20 b14f5f-b14f75 17->20 20->19
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,00B150E0,00000000,00020019,?), ref: 00B14FB7
                                                                                                                            • RegQueryValueExW.KERNELBASE(?,00B1513C,00000000,00000000,00000000,?,00000000,00B150CE), ref: 00B14FE5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000B13000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B13000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_b13000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4153817207-0
                                                                                                                            • Opcode ID: 039c618f2bd593dc24fd69f440dac0cbab63af745703785d6830b0b543b42f8e
                                                                                                                            • Instruction ID: 02bdcb8e0ed05f7eca352e2f15940f1a9db92af8bcaefb39b055d9c9e66d783b
                                                                                                                            • Opcode Fuzzy Hash: 039c618f2bd593dc24fd69f440dac0cbab63af745703785d6830b0b543b42f8e
                                                                                                                            • Instruction Fuzzy Hash: 18118474A40708FFDB70DAB48D46FDA73FCEB08704F5004A5FA04E6691E6B59A808B90
                                                                                                                            Function 00FE0658 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 22 fe0658-fe0688 24 fe0690-fe06a1 22->24 25 fe06d6-fe06df call fe0624 24->25 26 fe06a3-fe06ab 24->26 32 fe0756-fe075a 25->32 33 fe06e1-fe06ea call fe0624 25->33 28 fe06bd-fe06c6 call fe0624 26->28 28->25 34 fe06c8-fe06d4 28->34 35 fe075c-fe0764 32->35 36 fe079a-fe07a4 call fe07e4 32->36 33->32 43 fe06ec-fe06f6 33->43 34->25 38 fe06ad-fe06b9 34->38 39 fe0776-fe077f call fe0624 35->39 48 fe07af-fe07b6 36->48 49 fe07a6-fe07ad 36->49 38->28 39->36 51 fe0781-fe078d 39->51 43->32 46 fe06f8-fe0702 43->46 52 fe0704-fe070b 46->52 53 fe0715-fe0730 46->53 48->24 50 fe07bc-fe07c4 48->50 49->48 54 fe0791-fe0793 49->54 55 fe07c9-fe07d9 50->55 56 fe078f 51->56 57 fe0766-fe0772 SleepEx 51->57 59 fe0713 52->59 53->32 54->36 56->36 57->39 59->32
                                                                                                                            APIs
                                                                                                                            • SleepEx.KERNELBASE(0000000A,00000000), ref: 00FE076A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000FE0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_fe0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 4ca48771fc0423e9e4efb99bc014ae6fcc5421b6ceb33e3d96736041575927b9
                                                                                                                            • Instruction ID: d1246f8f386dcc59de7fdf1b2457d5e4cdc31f5f529c6fba93af144e8835f5f1
                                                                                                                            • Opcode Fuzzy Hash: 4ca48771fc0423e9e4efb99bc014ae6fcc5421b6ceb33e3d96736041575927b9
                                                                                                                            • Instruction Fuzzy Hash: CE416F30A04285EFDB14DB5ACA41F9D7BF5EF45320F6540D4F404AB2A2DBB4AE81EB10
                                                                                                                            Function 00AB99D1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 63 ab99d1-aba4ef 65 aba608-aba60d 63->65 66 aba4f5-aba501 63->66 67 aba503-aba511 66->67 68 aba571-aba578 66->68 67->65 73 aba517-aba51b 67->73 69 aba57a-aba581 68->69 70 aba598-aba5bc RtlUnwind 68->70 69->70 72 aba583-aba596 69->72 74 aba5c5-aba5e6 call aba44c 70->74 72->65 72->70 73->65 79 aba521-aba52f 73->79 74->65 80 aba568-aba56e 79->80 81 aba531-aba53d call aba3fc 79->81 80->68 81->80 84 aba53f-aba546 81->84 84->80 85 aba548-aba557 84->85 85->65 87 aba55d-aba566 85->87 87->70
                                                                                                                            APIs
                                                                                                                            • RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 00ABA5B6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unwind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3419175465-0
                                                                                                                            • Opcode ID: ed43d61cd147a767e98bd95e186880bc0ebd2688d31fb2e09c77860af948a184
                                                                                                                            • Instruction ID: cf909401c37d5ceb4ecd260f6dbcf33cbe99352262c5eec7ced38dcf0bd31c8b
                                                                                                                            • Opcode Fuzzy Hash: ed43d61cd147a767e98bd95e186880bc0ebd2688d31fb2e09c77860af948a184
                                                                                                                            • Instruction Fuzzy Hash: EA313CB8604300AFD730DB24C995FABB7EDEBD8750F598659E40887252C731ED81CB62
                                                                                                                            Function 00FC1034 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 88 fc1034-fc106a 90 fc106c-fc1071 88->90 91 fc1073-fc107a 88->91 92 fc107d-fc1089 90->92 91->92 94 fc1098 92->94 95 fc108b-fc1095 92->95 96 fc109a-fc10a0 94->96 97 fc10a7-fc10a9 94->97 95->94 96->97 98 fc10a2-fc10a5 96->98 99 fc10ac-fc10d3 97->99 98->99 100 fc10dc-fc10ee SetServiceStatus 99->100 101 fc10d5 99->101 102 fc10f0-fc110b 100->102 103 fc1112-fc111a 100->103 101->100 102->103 104 fc111f-fc112f 103->104
                                                                                                                            APIs
                                                                                                                            • SetServiceStatus.ADVAPI32(?,?), ref: 00FC10E7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000FC1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FC1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_fc1000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ServiceStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3969395364-0
                                                                                                                            • Opcode ID: 411145191c82b023aaf45afe519e89f375ede7dc05cf1c27b2844128c78c8179
                                                                                                                            • Instruction ID: f4b6dea30de8de1787502d93b22cf36b78cd3c093301b984d31a971cec2606cb
                                                                                                                            • Opcode Fuzzy Hash: 411145191c82b023aaf45afe519e89f375ede7dc05cf1c27b2844128c78c8179
                                                                                                                            • Instruction Fuzzy Hash: 8E21D070E0028A8FDB10DF798E52BADBBF5BB4A300F148479E804DA247E7389941DB64
                                                                                                                            Function 00ABA4E2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 135 aba4e2-aba4ef 137 aba608-aba60d 135->137 138 aba4f5-aba501 135->138 139 aba503-aba511 138->139 140 aba571-aba578 138->140 139->137 145 aba517-aba51b 139->145 141 aba57a-aba581 140->141 142 aba598-aba5bc RtlUnwind 140->142 141->142 144 aba583-aba596 141->144 146 aba5c5-aba5e6 call aba44c 142->146 144->137 144->142 145->137 151 aba521-aba52f 145->151 146->137 152 aba568-aba56e 151->152 153 aba531-aba53d call aba3fc 151->153 152->140 153->152 156 aba53f-aba546 153->156 156->152 157 aba548-aba557 156->157 157->137 159 aba55d-aba566 157->159 159->142
                                                                                                                            APIs
                                                                                                                            • RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 00ABA5B6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unwind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3419175465-0
                                                                                                                            • Opcode ID: 9b1a7ca61ef6264e877e2208c46469c85a3cc7a9ef6d31c52feb2ba5d2d9bd00
                                                                                                                            • Instruction ID: 0777ef7ee43b112c9349a536865c3b7a8a81ffd0c2640907d936859bb93f1292
                                                                                                                            • Opcode Fuzzy Hash: 9b1a7ca61ef6264e877e2208c46469c85a3cc7a9ef6d31c52feb2ba5d2d9bd00
                                                                                                                            • Instruction Fuzzy Hash: ED2147B8604300AFD730DB24C985FABBBADEB98710F598658F80897252C731ED41CB62
                                                                                                                            Function 00AB9A2D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 110 ab9a2d-aba4ef 112 aba608-aba60d 110->112 113 aba4f5-aba501 110->113 114 aba503-aba511 113->114 115 aba571-aba578 113->115 114->112 120 aba517-aba51b 114->120 116 aba57a-aba581 115->116 117 aba598-aba5bc RtlUnwind 115->117 116->117 119 aba583-aba596 116->119 121 aba5c5-aba5e6 call aba44c 117->121 119->112 119->117 120->112 126 aba521-aba52f 120->126 121->112 127 aba568-aba56e 126->127 128 aba531-aba53d call aba3fc 126->128 127->115 128->127 131 aba53f-aba546 128->131 131->127 132 aba548-aba557 131->132 132->112 134 aba55d-aba566 132->134 134->117
                                                                                                                            APIs
                                                                                                                            • RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 00ABA5B6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unwind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3419175465-0
                                                                                                                            • Opcode ID: 9546b7d60614fd41dfae97255e935387587f1bac58a70d3c9466871f1b8a004b
                                                                                                                            • Instruction ID: c91876adf0f8724346b33b29b505a9d5bf9eea95ef283504ed7faf194594d8da
                                                                                                                            • Opcode Fuzzy Hash: 9546b7d60614fd41dfae97255e935387587f1bac58a70d3c9466871f1b8a004b
                                                                                                                            • Instruction Fuzzy Hash: AF2147B8604300AFD730DB24C985FABBBBDEB98710F598659E8085B252C731ED41CB62
                                                                                                                            Function 00ABB190 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 160 abb190-abb1ab 161 abb1bb-abb1c9 160->161 162 abb1ad-abb1b9 160->162 165 abb1cc-abb1f3 CreateThread 161->165 162->165 166 abb1fc-abb204 165->166 167 abb1f5 165->167 167->166
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00ABB1EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 0ff8ace44184cf40d586b4371453d392499b47222410d58fa5139695ed6560db
                                                                                                                            • Instruction ID: 5995887807376a1ee4d68983f8f20d2ff32b4799d4e1f486665dbe9bdce837be
                                                                                                                            • Opcode Fuzzy Hash: 0ff8ace44184cf40d586b4371453d392499b47222410d58fa5139695ed6560db
                                                                                                                            • Instruction Fuzzy Hash: B2016276B05214AFC710DBADA884BDEB7ECEB59320F104166F508DB342D7B5DD0187A4
                                                                                                                            Function 00ABB18E Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 168 abb18e-abb1ab 170 abb1bb-abb1c9 168->170 171 abb1ad-abb1b9 168->171 174 abb1cc-abb1f3 CreateThread 170->174 171->174 175 abb1fc-abb204 174->175 176 abb1f5 174->176 176->175
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00ABB1EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: b00b94a4cba9529fe82fce59b1ce0c78ce2a18443f42125b4092fa746ba64622
                                                                                                                            • Instruction ID: 9f4f1b43e8e3cc71ad7eb68ed2368f2599fa97cadea950ad442639d201a2c587
                                                                                                                            • Opcode Fuzzy Hash: b00b94a4cba9529fe82fce59b1ce0c78ce2a18443f42125b4092fa746ba64622
                                                                                                                            • Instruction Fuzzy Hash: D0F06876B04214AFD710CA9DAC44ADEB7ECEB59360F104225F508E7342D7B5DD0187A4
                                                                                                                            Function 00BFBE64 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 177 bfbe64-bfbe6a 178 bfbe6c-bfbe70 177->178 179 bfbea7-bfbeb9 177->179 178->179 180 bfbe72-bfbe76 178->180 183 bfbebe-bfbebf 179->183 180->179 182 bfbe78-bfbe8c ResumeThread 180->182 182->183 184 bfbe8e-bfbea6 182->184
                                                                                                                            APIs
                                                                                                                            • ResumeThread.KERNELBASE(?), ref: 00BFBE84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000BFB000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00BFB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_bfb000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ResumeThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 947044025-0
                                                                                                                            • Opcode ID: 57406b72c08bdbf483053d896e6e2a9abfd532d1704642aa6dad22a89992a58e
                                                                                                                            • Instruction ID: 920942c9ed35b2fdeaa81e21a9d3e94224492d6bf8f5fec00166677c754c0abb
                                                                                                                            • Opcode Fuzzy Hash: 57406b72c08bdbf483053d896e6e2a9abfd532d1704642aa6dad22a89992a58e
                                                                                                                            • Instruction Fuzzy Hash: 3AF0EC300042808ACF20EFB0D0D0BA66BD99F94318F4880CAEA444F357C7A2D888D322
                                                                                                                            Function 00ABB734 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 187 abb734-abb736 188 abb75b 187->188 189 abb738-abb73a 187->189 190 abb318-abb31c 189->190 191 abb740-abb745 189->191 193 abb31e-abb32b 190->193 194 abb32c 190->194 191->190 192 abb74b-abb755 SysReAllocStringLen 191->192 192->188 195 abb2b0-abb2ba 192->195 193->194 199 abb2cc 195->199 200 abb2bc-abb2c6 195->200 200->195 200->199
                                                                                                                            APIs
                                                                                                                            • SysReAllocStringLen.OLEAUT32(?,?,?,00ABAE29), ref: 00ABB74E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2525500382-0
                                                                                                                            • Opcode ID: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                            • Instruction ID: d71d1375c54d6c21945b3ac15e7f8af68ed1ab3948665884913b7d74a9c3f76a
                                                                                                                            • Opcode Fuzzy Hash: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                            • Instruction Fuzzy Hash: C5E0C2B45102019EEA289B248900BFF32AEEBD1302FACC598A4014F153DFB18C40D734
                                                                                                                            Function 00BFBF2A Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 202 bfbf2a-bfbf4e SetThreadPriority call bfbd10 204 bfbf53-bfbf55 202->204
                                                                                                                            APIs
                                                                                                                            • SetThreadPriority.KERNELBASE(?), ref: 00BFBF41
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000BFB000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00BFB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_bfb000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PriorityThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2383925036-0
                                                                                                                            • Opcode ID: 7570cb96d0773b878f3ad00227ec4e18c3589af2189743625ba447b0d65259ea
                                                                                                                            • Instruction ID: bf70ed12f7548c777c57b7dc388b459b2a81022e784ab19d4c7cebdb74200553
                                                                                                                            • Opcode Fuzzy Hash: 7570cb96d0773b878f3ad00227ec4e18c3589af2189743625ba447b0d65259ea
                                                                                                                            • Instruction Fuzzy Hash: 84D022777005281FC328E6FDE880CBE62CDCB8C2263008423F108C3224E226CC0643E1
                                                                                                                            Function 00FC1218 Relevance: 1.5, APIs: 1, Instructions: 18threadwindowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 205 fc1218-fc123f PostThreadMessageW 206 fc1246-fc1248 205->206 207 fc1241 205->207 207->206
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000401,?,00000000), ref: 00FC1230
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000FC1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FC1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_fc1000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePostThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1836367815-0
                                                                                                                            • Opcode ID: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                            • Instruction ID: 9b5bbc5566809e32e1383cb6b56a859e8ae934f3bb7ce4bfa5cd2da2de7b307c
                                                                                                                            • Opcode Fuzzy Hash: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                            • Instruction Fuzzy Hash: 65D05E712002046FF7009AA9CACAFA1B7DCAB45724F4940A4FB0C8F293C1A1AC518324
                                                                                                                            Function 00ABB498 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 208 abb498-abb49a 209 abb318-abb31c 208->209 210 abb4a0-abb4ab SysAllocStringLen 208->210 211 abb31e-abb32b 209->211 212 abb32c 209->212 213 abb4b1-abb4ba 210->213 214 abb2b0-abb2ba 210->214 211->212 219 abb2cc 214->219 220 abb2bc-abb2c6 214->220 220->214 220->219
                                                                                                                            APIs
                                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000,?,00ABB5F3), ref: 00ABB4A3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2525500382-0
                                                                                                                            • Opcode ID: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                            • Instruction ID: 35c31f5ced54a865d2e37b2926348136fd5dc4084337d332454fb9962336df4f
                                                                                                                            • Opcode Fuzzy Hash: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                            • Instruction Fuzzy Hash: 83C08CBC519702ADFF1A3F305A01BFF276DAE9130279000A9BD1189013EBB6C8802530
                                                                                                                            Function 00ABB208 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 222 abb208-abb212 223 abb21c-abb223 RtlExitUserThread 222->223 224 abb214 222->224 224->223
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000AB9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00AB9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_ab9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: cb80960e641216216f71feb6c70464b35b8738ea12c21a683556f1f41efc96bf
                                                                                                                            • Instruction ID: 603c902e2b05be37ff4f746096f9cf362f4cc3efea82afeba4412ebfec3a2685
                                                                                                                            • Opcode Fuzzy Hash: cb80960e641216216f71feb6c70464b35b8738ea12c21a683556f1f41efc96bf
                                                                                                                            • Instruction Fuzzy Hash: EDC09B7D6013004FC32127B59EDC78931DC57C9315F64142472068E257C7FD4445D754
                                                                                                                            Function 00F9859C Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F98000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F98000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f98000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: IdThread (unknown)
                                                                                                                            • API String ID: 0-2043411369
                                                                                                                            • Opcode ID: bba12149cb5ca64522e7278ff20e5e39daba0d127c29c6c60a60364fba3b0cbd
                                                                                                                            • Instruction ID: 680490c4214970cdf3033bb73fdda80707d57a2c5c40a7125e6f2d0ac4f20b60
                                                                                                                            • Opcode Fuzzy Hash: bba12149cb5ca64522e7278ff20e5e39daba0d127c29c6c60a60364fba3b0cbd
                                                                                                                            • Instruction Fuzzy Hash: 89418030604644EFEB11CF64C955D59BBF5FB0A790F6244A0F801DB661CB35ED12FA52
                                                                                                                            Function 00FBC710 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000FBC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FBC000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_fbc000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: loopback
                                                                                                                            • API String ID: 0-3546420730
                                                                                                                            • Opcode ID: b25c53548250fff43a1431a72b3183d76e29d08021263504f66a3291f56681c6
                                                                                                                            • Instruction ID: 458ff7e94d55e33f1b74af495f4af5a9650e36766c767610fcf5a3e040dc6144
                                                                                                                            • Opcode Fuzzy Hash: b25c53548250fff43a1431a72b3183d76e29d08021263504f66a3291f56681c6
                                                                                                                            • Instruction Fuzzy Hash: 55410574A10208AFDB00EF99C9919DEBBF8FB48310B6085A5F814E7652D770EE40DFA1
                                                                                                                            Function 019B67B0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • TProcessMessagesThread.Execute, xrefs: 019B67BE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000019B6000.00000020.00000001.01000000.0000000D.sdmp, Offset: 019B6000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_19b6000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: TProcessMessagesThread.Execute
                                                                                                                            • API String ID: 0-3632000192
                                                                                                                            • Opcode ID: 3b616b45ef8bbce572c40a2a949bce9effcf853d4ee6dbd31e0fd0ef065fafc5
                                                                                                                            • Instruction ID: eb818618efd9dd8cc99704caf5932ddd2ebf013364255f49842e0cb7f3916dea
                                                                                                                            • Opcode Fuzzy Hash: 3b616b45ef8bbce572c40a2a949bce9effcf853d4ee6dbd31e0fd0ef065fafc5
                                                                                                                            • Instruction Fuzzy Hash: 65214A74A04209EFD710DF69DA81999B7F5FB49720B2082A5F918DB3A1C731ED00CB91
                                                                                                                            Function 00D93DE0 Relevance: .1, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000D93000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00D93000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_d93000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d42ebea676b0094cab1b2656ee15e0822ae984308a0efae0b02607e539b36609
                                                                                                                            • Instruction ID: a813754ec274a3a8b17455112a7ecaa55af958cc19f85ca29c263e9e53cd3e8e
                                                                                                                            • Opcode Fuzzy Hash: d42ebea676b0094cab1b2656ee15e0822ae984308a0efae0b02607e539b36609
                                                                                                                            • Instruction Fuzzy Hash: 1E416A30A08248EFDF10DFA4D946B9DBBF5EF08310F6545A5E80497292D7B45E85CB60
                                                                                                                            Function 00D93000 Relevance: .1, Instructions: 103COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000D93000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00D93000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_d93000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d416eff61867af2a620daa5d0ffbb5e3fccb438bc8034c0c053d4ad49fece3c9
                                                                                                                            • Instruction ID: a5c572fa940e1080f11e37adfcb7a4a5c47fa13d6f8d9a295974b58463dfad62
                                                                                                                            • Opcode Fuzzy Hash: d416eff61867af2a620daa5d0ffbb5e3fccb438bc8034c0c053d4ad49fece3c9
                                                                                                                            • Instruction Fuzzy Hash: B0417E34A04244EFDB05DF68C895E9EB7F6EB49310F2585A5E805EB362D330AE41DB20
                                                                                                                            Function 012E0A74 Relevance: .1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000012E0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_12e0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1b8b6de4b2d6b3296b89ff4a601efa820201da729c5f53b29345b37a738c547d
                                                                                                                            • Instruction ID: 440d8d938b15e47103dc68f9fac1965a46ed093ea23305823393b6a92691554d
                                                                                                                            • Opcode Fuzzy Hash: 1b8b6de4b2d6b3296b89ff4a601efa820201da729c5f53b29345b37a738c547d
                                                                                                                            • Instruction Fuzzy Hash: CF318B34714204EFDB01CF68C959FA9BBF9FB49700FA244E9F80497652E7B0AE01CA24
                                                                                                                            Function 00D93DDE Relevance: .1, Instructions: 87COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000D93000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00D93000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_d93000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b44ff5c2d6bbb73c83ca065f71efc942d632d17d8dcebe97ff57d2d6ec08d873
                                                                                                                            • Instruction ID: 18358460f4a31b317a1a0810a255f4bb93957c66734534cca3040f5f43b91b37
                                                                                                                            • Opcode Fuzzy Hash: b44ff5c2d6bbb73c83ca065f71efc942d632d17d8dcebe97ff57d2d6ec08d873
                                                                                                                            • Instruction Fuzzy Hash: 5B316930A08248EFDF11DFA8D846BAEB7F5EB04310F2545B5E804A7692D7B4AF44CB60
                                                                                                                            Function 012E0E78 Relevance: .1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000012E0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_12e0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e93202de4594b83b136f0ef2673e29d8f48ef9aa19b682061b79f6f1e7365c0d
                                                                                                                            • Instruction ID: 56a2ec9903cded01e050b2d585319adc5640ae603f52af1c18b3b0ff555f59b0
                                                                                                                            • Opcode Fuzzy Hash: e93202de4594b83b136f0ef2673e29d8f48ef9aa19b682061b79f6f1e7365c0d
                                                                                                                            • Instruction Fuzzy Hash: 93211238B14209EFC700DF58C488D9ABBF4FF49310B2581A5E805DB322DB71AD46CB51
                                                                                                                            Function 012E0D60 Relevance: .1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000012E0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_12e0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 19ebee9383a8f0880e6d1ef39b13620a99ccc76908031d2881a747645736da80
                                                                                                                            • Instruction ID: 487c191a17da308dfd540d5d3b89cb7d2528be5c834836b9edd8b462500a4ccd
                                                                                                                            • Opcode Fuzzy Hash: 19ebee9383a8f0880e6d1ef39b13620a99ccc76908031d2881a747645736da80
                                                                                                                            • Instruction Fuzzy Hash: 06118C303506418FD720EB3D9548B9ABBE4EF8A340F884019F689DB312C7B2B806C795
                                                                                                                            Function 00F98D2C Relevance: .0, Instructions: 32COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F98000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F98000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f98000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                            • Instruction ID: 46c0efadb8bac5e13a3b86c0f9d4426079563fb1d3c3e6a49c2dbd072e19fd96
                                                                                                                            • Opcode Fuzzy Hash: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                            • Instruction Fuzzy Hash: 0AE06D73B005541BD610A25E6C41AE6B7899BD67F4F184132FA48CB382DA639C1652A5
                                                                                                                            Function 012E0E1A Relevance: .0, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000012E0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_12e0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 02b3cd1d0569ece15c765b4e8e68852cd88136c794615e7ebca8632641879dec
                                                                                                                            • Instruction ID: 3cda93f32e2eb547281b0380698b97b97d35e4e05cbda3722bd97a4bca56b0ad
                                                                                                                            • Opcode Fuzzy Hash: 02b3cd1d0569ece15c765b4e8e68852cd88136c794615e7ebca8632641879dec
                                                                                                                            • Instruction Fuzzy Hash: 69E026607203631BF72028BC6DC9B7731C4CB04714F8C0178BB45C5102C9E8CE464325
                                                                                                                            Function 00D93EF5 Relevance: .0, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000D93000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00D93000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_d93000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 47991fd152bbb5831d52714c870c84a06a5cbc6b1b53f573bfb71920a065e07a
                                                                                                                            • Instruction ID: e843cc850997758362d8b34791c2874c447124a68e3c00759d8d1ebf0e40768a
                                                                                                                            • Opcode Fuzzy Hash: 47991fd152bbb5831d52714c870c84a06a5cbc6b1b53f573bfb71920a065e07a
                                                                                                                            • Instruction Fuzzy Hash: 42F0A030A08148EEDF10EBB0D242BAEB3F59F40320F3448A5E80092182CA749A098231
                                                                                                                            Function 00F2CF30 Relevance: .0, Instructions: 11COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F2C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F2C000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f2c000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: acab825bcb0b00e871c5cb25625dfb84b4df94685c71a14163b160d90cad6ed5
                                                                                                                            • Instruction ID: 9ab9629624d6e0b7bb2c008ea98ca8c777a9e9064995d8cdc8498fa99217f95c
                                                                                                                            • Opcode Fuzzy Hash: acab825bcb0b00e871c5cb25625dfb84b4df94685c71a14163b160d90cad6ed5
                                                                                                                            • Instruction Fuzzy Hash: 47B092B235C3106C669E27526E03F3A22A9D981B11F62889EF88048094AF821880E2B2
                                                                                                                            Function 00F2CF18 Relevance: .0, Instructions: 11COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F2C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F2C000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f2c000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6200401b92ba8bc63ddf40dabeea33f41906ed4a8604c5bd9267545c2bced48f
                                                                                                                            • Instruction ID: d93f4958c842f6226d05e6d46ad029fe38f015a5f0db5beaa85b43329f940779
                                                                                                                            • Opcode Fuzzy Hash: 6200401b92ba8bc63ddf40dabeea33f41906ed4a8604c5bd9267545c2bced48f
                                                                                                                            • Instruction Fuzzy Hash: C8B092B235C3106C669E2752AE03F3A22A9C981B11F6284DEF88048154AF821881F2B2
                                                                                                                            Function 012E0E64 Relevance: .0, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000012E0000.00000020.00000001.01000000.0000000D.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_12e0000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                            • Instruction ID: 8facf024987a759920029505fa34dea5cb5b8341f8b1b7068d1fc52987fe86c3
                                                                                                                            • Opcode Fuzzy Hash: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                            • Instruction Fuzzy Hash: 15C09270700205CFDB44FF6CC9CDA423BF4AB4820971880A0AA05CB2ABE7B0DC85CB40
                                                                                                                            Function 00F2CF03 Relevance: .0, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F2C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F2C000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f2c000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fd6cdd988a56d7c6fb7a3949aac5ecd26d8f4041001913282383e53fff9d929c
                                                                                                                            • Instruction ID: a96091a56ecc01e47460bb8e9fb7fa734b1d3d8f2e1efdae9b7704084d9d5a38
                                                                                                                            • Opcode Fuzzy Hash: fd6cdd988a56d7c6fb7a3949aac5ecd26d8f4041001913282383e53fff9d929c
                                                                                                                            • Instruction Fuzzy Hash: E5B0922120D3800DD7AB27A02962A583BA08C43210F1A04DEE4C04E1629E421092D392
                                                                                                                            Function 00F98C84 Relevance: .0, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F98000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F98000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f98000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                            • Instruction ID: 8c92b587537945f722bbec28aa6d2ccc18f740a2890c47b319cc2e8a119ee67e
                                                                                                                            • Opcode Fuzzy Hash: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                            • Instruction Fuzzy Hash: CAB0123200010C778F013E85DC02C5D7F5DAB60360B00C011FA0C090219633AAB8A7D4
                                                                                                                            Function 00BF9AAA Relevance: .0, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000BF9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00BF9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_bf9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                            • Instruction ID: dcab931c4a539a2eadd99cff47283e157d11fd23f3196920210e5ae52d992c9a
                                                                                                                            • Opcode Fuzzy Hash: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                            • Instruction Fuzzy Hash: 6BB001747001158F9F80DB28C688905B7E1BF8932131583E0A409CB336DA30EC85CF81
                                                                                                                            Function 00F99BBF Relevance: .0, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000F98000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F98000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_f98000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                            • Instruction ID: 5329dce864716b417e33f500023836bbe0796c61ba0fd1a379c0cc2aebb34501
                                                                                                                            • Opcode Fuzzy Hash: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                            • Instruction Fuzzy Hash: 1CA0223022C20ACFCE00BF20C80E800F3A0FE0030C3E000E0A0880B022CB2EE802CF80

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00FBC8E8 Relevance: 15.2, Strings: 12, Instructions: 159COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • font-size: 100%;, xrefs: 00FBC94A
                                                                                                                            • <style type="text/css">, xrefs: 00FBC92C
                                                                                                                            • background-color: #FFFFFF;, xrefs: 00FBC954
                                                                                                                            • margin: 0px 0px 0px 0px;, xrefs: 00FBC97C
                                                                                                                            • </title>, xrefs: 00FBC922
                                                                                                                            • font-size: 130%;, xrefs: 00FBC972
                                                                                                                            • display: none;, xrefs: 00FBC99A
                                                                                                                            • <head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na, xrefs: 00FBC90F
                                                                                                                            • font-family: Courier New, monospace;, xrefs: 00FBC940
                                                                                                                            • textarea {, xrefs: 00FBC990
                                                                                                                            • body {, xrefs: 00FBC936
                                                                                                                            • h1 {, xrefs: 00FBC968
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000FBC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FBC000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_fbc000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: </title>$<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na$<style type="text/css">$background-color: #FFFFFF;$body {$display: none;$font-family: Courier New, monospace;$font-size: 100%;$font-size: 130%;$h1 {$margin: 0px 0px 0px 0px;$textarea {
                                                                                                                            • API String ID: 0-3743830688
                                                                                                                            • Opcode ID: 0822d6495695cb1210a8f8f6c7eeb8bd5d75540e5695c6d99aa21c6b1820d6a1
                                                                                                                            • Instruction ID: f8c7db2b18f7a157997f5f5326bb5579b7b31ae253dfd3fbd2ff66ee8b63cd89
                                                                                                                            • Opcode Fuzzy Hash: 0822d6495695cb1210a8f8f6c7eeb8bd5d75540e5695c6d99aa21c6b1820d6a1
                                                                                                                            • Instruction Fuzzy Hash: D6413128BC83057E821875178C43EEB6FB692ACF45F9445B070A4B1DC7A6E1E5107CEB
                                                                                                                            Function 019B615C Relevance: 6.4, Strings: 5, Instructions: 154COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.00000000019B6000.00000020.00000001.01000000.0000000D.sdmp, Offset: 019B6000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_19b6000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: closed_by_user$error_code$network_load$ra_session_id$show_duration_in_sec
                                                                                                                            • API String ID: 0-946321287
                                                                                                                            • Opcode ID: 544c9327ccbc18ca53743b477d44e6235c5e6e715f41ef410e9d257829be88dc
                                                                                                                            • Instruction ID: b9799ed6260c09c2461156ac1f483a168d9731e9d4a6d6eb3b87f025d07f1df3
                                                                                                                            • Opcode Fuzzy Hash: 544c9327ccbc18ca53743b477d44e6235c5e6e715f41ef410e9d257829be88dc
                                                                                                                            • Instruction Fuzzy Hash: 0961E434A00209DFDB04EF98C585ADDBBF5FF48304F6045A9E805AB262DB70BE4ACB51
                                                                                                                            Function 00BF9594 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000BF9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00BF9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_bf9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                            • API String ID: 0-4145825852
                                                                                                                            • Opcode ID: d0ad7736d59d79468efee6cd6fec8708a9aefa2ad7eaa2d1194d30d1538869d9
                                                                                                                            • Instruction ID: 12926c2e65bfb798072c6a11b654f9221d476c9506e28e05904ab70a192408c5
                                                                                                                            • Opcode Fuzzy Hash: d0ad7736d59d79468efee6cd6fec8708a9aefa2ad7eaa2d1194d30d1538869d9
                                                                                                                            • Instruction Fuzzy Hash: 0921D87524820CABDB10EF6CC481BBAB7D59F59354B2084D5BB84DB346CA36DC4E8B51
                                                                                                                            Function 00BF9593 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2977104494.0000000000BF9000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00BF9000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_bf9000_rutserv.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                            • API String ID: 0-4145825852
                                                                                                                            • Opcode ID: ff0c83f70dd4af9f6b3b0bf5b8f75786017f3470e11b9386c0f504ada0a8eea0
                                                                                                                            • Instruction ID: 37eaf17029895a2ca00080b547a2da055acb80416673d14724c01de6948d91fa
                                                                                                                            • Opcode Fuzzy Hash: ff0c83f70dd4af9f6b3b0bf5b8f75786017f3470e11b9386c0f504ada0a8eea0
                                                                                                                            • Instruction Fuzzy Hash: F011E72524810CAAEB10AF6CC881ABAB7E19F59354B2084D5FB849B346CA32DC0E8A50

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:4.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:7
                                                                                                                            Total number of Limit Nodes:0
                                                                                                                            execution_graph 2041 aab75f 2042 aab74e CloseHandle 2041->2042 2043 aab761 2042->2043 2037 aab6c0 CreateFileW 2038 aab6fb 2037->2038 2039 aab70c 2037->2039 2040 aab74e CloseHandle 2039->2040 2040->2038

                                                                                                                            Executed Functions

                                                                                                                            Function 00AAB6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(\\.\PIPE\RManFUSServerNotify32,40000000,00000003,00000000,00000003,00000000,00000000,00000000,00AAB75A), ref: 00AAB6ED
                                                                                                                            • CloseHandle.KERNELBASE(000000FF,00AAB761), ref: 00AAB752
                                                                                                                            Strings
                                                                                                                            • Error - CreateFile, xrefs: 00AAB6FB
                                                                                                                            • \\.\PIPE\RManFUSServerNotify32, xrefs: 00AAB6E8
                                                                                                                            • Error - NotifyServer - WriteFile, xrefs: 00AAB737
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.0000000000AAB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00AAB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aab000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID: Error - CreateFile$Error - NotifyServer - WriteFile$\\.\PIPE\RManFUSServerNotify32
                                                                                                                            • API String ID: 3498533004-2744967546
                                                                                                                            • Opcode ID: fb6e5f558b9f4da83d5bfce12bb81d5fbecc0dd5fcf3e61f991db53614613797
                                                                                                                            • Instruction ID: 8b79d557f9a4c903342e3adc1a0fd41f772d85359089f7418b469f5fa8623f2c
                                                                                                                            • Opcode Fuzzy Hash: fb6e5f558b9f4da83d5bfce12bb81d5fbecc0dd5fcf3e61f991db53614613797
                                                                                                                            • Instruction Fuzzy Hash: CC11C474A61304BFDB11EBB8DD12B5DB7B8EB8A710F204961FA00D76D2D7B05A109B35
                                                                                                                            Function 00524AC4 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 13 524ac4-524ae2 15 524b81-524b93 13->15 16 524ae8-524b1c 13->16 20 524b24-524b26 16->20 21 524b62-524b78 20->21 22 524b28-524b37 20->22 21->15 22->21 26 524b39-524b59 22->26 26->21 31 524b5b-524b5e 26->31 31->21
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.0000000000524000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00524000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_524000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: GlassSessionId$SYSTEM\CurrentControlSet\Control\Terminal Server
                                                                                                                            • API String ID: 0-152818403
                                                                                                                            • Opcode ID: daa4a159ff309073865ab5c8a0113ae997f2ab98e9dcbcd4c323bc7db2ad0e48
                                                                                                                            • Instruction ID: 317b530975990576a7eb30b83dc36a3691b674e3fb091d3943440f8a0f5cabc5
                                                                                                                            • Opcode Fuzzy Hash: daa4a159ff309073865ab5c8a0113ae997f2ab98e9dcbcd4c323bc7db2ad0e48
                                                                                                                            • Instruction Fuzzy Hash: 2C11B730E042186BDF01FBA5E842A5EBBA9FF46304F1084B5F944AB6D2DB759D108F54
                                                                                                                            Function 00524AC2 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 32 524ac2-524ae2 35 524b81-524b93 32->35 36 524ae8-524b0f 32->36 39 524b17-524b1c 36->39 40 524b24-524b26 39->40 41 524b62-524b78 40->41 42 524b28-524b37 40->42 41->35 42->41 46 524b39-524b59 42->46 46->41 51 524b5b-524b5e 46->51 51->41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.0000000000524000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00524000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_524000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: GlassSessionId$SYSTEM\CurrentControlSet\Control\Terminal Server
                                                                                                                            • API String ID: 0-152818403
                                                                                                                            • Opcode ID: adbc7ec01e363f8bca5f82f8b29f6a9adceddcefd8dfe0e231a87fd27aaef561
                                                                                                                            • Instruction ID: 144a5c46057e9adc7f0215758313633a5192b4d729b78247b729a7bdd08d5556
                                                                                                                            • Opcode Fuzzy Hash: adbc7ec01e363f8bca5f82f8b29f6a9adceddcefd8dfe0e231a87fd27aaef561
                                                                                                                            • Instruction Fuzzy Hash: C911B230E102186BDF01BB65E842A5E7BA9FF45300F108475A840AB6D2DB75DD108F14
                                                                                                                            Function 00AAB75F Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 68 aab75f-aab764 CloseHandle
                                                                                                                            APIs
                                                                                                                            • CloseHandle.KERNELBASE(000000FF,00AAB761), ref: 00AAB752
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.0000000000AAB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00AAB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aab000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                            • Instruction ID: a888e486d62713e049e7676774e41ee8e36e3755849fdb81359e0d57fda79eb1
                                                                                                                            • Opcode Fuzzy Hash: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                            • Instruction Fuzzy Hash: 5FA0223A83A203FE8A02F3E0C8028AC23380A0C3A2B300C00F203C3082C3388A00AF30
                                                                                                                            Function 003B3DBC Relevance: .1, Instructions: 88COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 71 3b3dbc-3b3dcb 72 3b3dcd 71->72 73 3b3dd5-3b3dfe 71->73 72->73 75 3b3e00-3b3e04 73->75 76 3b3e06-3b3e08 73->76 75->76 77 3b3e0a 75->77 78 3b3e0c-3b3e13 76->78 77->78 79 3b3e8f-3b3e9c 78->79 80 3b3e15-3b3e19 78->80 88 3b3e9f-3b3ea7 79->88 81 3b3e1b-3b3e37 80->81 82 3b3e39-3b3e47 80->82 86 3b3e51-3b3e55 81->86 85 3b3e4e 82->85 85->86 86->88 89 3b3e57-3b3e8d 86->89 90 3b3eac-3b3ebc 88->90 89->88
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000003B3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 003B3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_3b3000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3d1ba881629f5481d7c1e56dfbc9de79c5ad8659e93b1530ea3d4ef269a2b5e4
                                                                                                                            • Instruction ID: d5b6068f0950932ffbc7e85a47fd8f4c79f6ab714f6ece4c7010ecf1793a248c
                                                                                                                            • Opcode Fuzzy Hash: 3d1ba881629f5481d7c1e56dfbc9de79c5ad8659e93b1530ea3d4ef269a2b5e4
                                                                                                                            • Instruction Fuzzy Hash: 1C312975904354AEC722EFB5C8417EB7BE49F09304F04C82EE569D7A81DB30D644CB51
                                                                                                                            Function 003B3C26 Relevance: .1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 97 3b3c26-3b3c5c 100 3b3c5e-3b3c6f 97->100 101 3b3c93-3b3cc2 call 3b3914 97->101 103 3b3c74-3b3c7c 100->103 107 3b3ccc-3b3cd3 101->107 108 3b3cc4 101->108 103->101 110 3b3cd4 107->110 108->107 110->110
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000003B3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 003B3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_3b3000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7c05e29b66dbcf767e04c7437e5c1f5de1f15765f4dcde04e202fadc44f66aee
                                                                                                                            • Instruction ID: 4a60ddad9c9b0578ee5d68442b8bd34f7bbbbf278bec166f1d04748a9f5dfa3c
                                                                                                                            • Opcode Fuzzy Hash: 7c05e29b66dbcf767e04c7437e5c1f5de1f15765f4dcde04e202fadc44f66aee
                                                                                                                            • Instruction Fuzzy Hash: DB119D74608644EFD702DFA4C9159ADBBF8EF4A714F6244E0F800ABB52C730AF10DA60
                                                                                                                            Function 003B3C28 Relevance: .1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 111 3b3c28-3b3c5c 113 3b3c5e-3b3c6f 111->113 114 3b3c93-3b3cc2 call 3b3914 111->114 116 3b3c74-3b3c7c 113->116 120 3b3ccc-3b3cd3 114->120 121 3b3cc4 114->121 116->114 123 3b3cd4 120->123 121->120 123->123
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000003B3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 003B3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_3b3000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 060e4d47136e9cd5d0777e89cf9caf0d388d1d570ea4dbc98c47608d4cb5791f
                                                                                                                            • Instruction ID: da069bee3c9ceed8c9e848264ad5f37d709193f6e66d0ce28b88c744616c7759
                                                                                                                            • Opcode Fuzzy Hash: 060e4d47136e9cd5d0777e89cf9caf0d388d1d570ea4dbc98c47608d4cb5791f
                                                                                                                            • Instruction Fuzzy Hash: 2C11BF74608644EFD702DFA4C9159ADBBF8EF4A714F6244E0F800ABB52C730AF10DA60
                                                                                                                            Function 002791E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 124 2791e0-2791ee 126 2791f0-2791fa 124->126 127 279203-279205 126->127 128 2791fc 126->128 127->126 129 279207-279211 call 279a20 127->129 130 279201 128->130 130->127
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.0000000000279000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00279000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_279000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 584daae42aa3a8119b8123d979331827b921ac600ba65a586dc44f520e9e3eee
                                                                                                                            • Instruction ID: d86b0da233fb7b5ff6f3b2ba1666bd9413a555d2a056635cbcea4af6beed3bbc
                                                                                                                            • Opcode Fuzzy Hash: 584daae42aa3a8119b8123d979331827b921ac600ba65a586dc44f520e9e3eee
                                                                                                                            • Instruction Fuzzy Hash: 48E0C236B212360B9720A97D488020BE3E99FD82A0329843DBC48D7302C630AC2187D0
                                                                                                                            Function 003B3D20 Relevance: .0, Instructions: 22COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 133 3b3d20-3b3d24 134 3b3d2e-3b3d41 call 3b3dbc 133->134 135 3b3d26 133->135 138 3b3d43 134->138 139 3b3d52-3b3d56 134->139 135->134 140 3b3d48-3b3d4f 138->140 140->139
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000003B3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 003B3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_3b3000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                            • Instruction ID: 87776cbcb94d2b94436d3b2fc5acfb767d59f7d2729aeb7c4354a6ef1290320f
                                                                                                                            • Opcode Fuzzy Hash: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                            • Instruction Fuzzy Hash: E6D02B4274153043C111636C0C427D4A5444F41AA5F084134BA44CB795E9124D5401D6
                                                                                                                            Function 006CBD5C Relevance: .0, Instructions: 11COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 141 6cbd5c-6cbd64 142 6cbd4c 141->142 143 6cbd56-6cbd5b 142->143
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000006CB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006CB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_6cb000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 97a2018b6169d988a164ce551a869a86a92f05cb3344e1abcb3070917002ea11
                                                                                                                            • Instruction ID: bcec534840caf6258e698c43fe09303b0db9b00a2d3ee340ca76e813648eab99
                                                                                                                            • Opcode Fuzzy Hash: 97a2018b6169d988a164ce551a869a86a92f05cb3344e1abcb3070917002ea11
                                                                                                                            • Instruction Fuzzy Hash: E0B09BE555D610AC650722145D03D7551D9C9C1711F24555DF041590D19E4114416575
                                                                                                                            Function 006CBD74 Relevance: .0, Instructions: 11COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 144 6cbd74-6cbd7c 146 6cbd56-6cbd5b 144->146
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000006CB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006CB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_6cb000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dd498c698db606ee8a2420410aa8ba444be4dc349efd621beca48b63e1ff6425
                                                                                                                            • Instruction ID: d0410e10084ad7253fde1530e4e0c2b6677d8ce8209b6712573dd675544ba333
                                                                                                                            • Opcode Fuzzy Hash: dd498c698db606ee8a2420410aa8ba444be4dc349efd621beca48b63e1ff6425
                                                                                                                            • Instruction Fuzzy Hash: B0B09BE556D210AC650722145C03D3551D9D9C2751F24555EF041590D1AE4054416575
                                                                                                                            Function 006CBD47 Relevance: .0, Instructions: 9COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 147 6cbd47-6cbd4b 148 6cbd4c 147->148 149 6cbd56-6cbd5b 148->149
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2963183965.00000000006CB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006CB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_6cb000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7d21e9cbfa3d8bb7cd8393ff794771c76e15e5e06ff5d2533e8171ef84ff8a11
                                                                                                                            • Instruction ID: 3951d1c382e8dedbc0685cd8fbe590a77b78ab9d69b22380328de42504591457
                                                                                                                            • Opcode Fuzzy Hash: 7d21e9cbfa3d8bb7cd8393ff794771c76e15e5e06ff5d2533e8171ef84ff8a11
                                                                                                                            • Instruction Fuzzy Hash: 5CB0926510E3908DD61B236428628687BE08D47210F2918DAE0C08F1E3DE001056E666

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:10.1%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:35
                                                                                                                            Total number of Limit Nodes:3
                                                                                                                            execution_graph 1533 523be0 1536 523c0c 1533->1536 1534 523ce1 1536->1534 1537 523968 1536->1537 1540 52383c 1537->1540 1542 523855 1540->1542 1541 523936 1541->1536 1542->1541 1543 52392e DispatchMessageW 1542->1543 1543->1541 1544 5234a0 1545 5234b4 1544->1545 1546 5234d8 1545->1546 1547 5234c8 SetWindowTextW 1545->1547 1547->1546 1562 523950 1563 523956 1562->1563 1564 52383c DispatchMessageW 1563->1564 1565 523963 1563->1565 1564->1563 1548 27af00 1549 27af1d CreateThread 1548->1549 1551 27af65 1549->1551 1574 27aefe 1575 27af00 CreateThread 1574->1575 1577 27af65 1575->1577 1566 523bde 1569 523be0 1566->1569 1567 523ce1 1568 523968 DispatchMessageW 1568->1569 1569->1567 1569->1568 1552 755e68 1553 755e7a CreateFileW 1552->1553 1554 755eaa 1553->1554 1555 27aec8 1556 27aed0 1555->1556 1559 27af78 1556->1559 1557 27aef2 1560 27af84 1559->1560 1561 27af8c RtlExitUserThread 1559->1561 1560->1561 1561->1557

                                                                                                                            Executed Functions

                                                                                                                            Function 0052383C Relevance: 1.6, APIs: 1, Instructions: 105windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 52383c-523857 2 523945-52394c 0->2 3 52385d-523861 0->3 4 523863-52386b 3->4 5 523871 3->5 4->5 10 52386d-52386f 4->10 6 523873-52387c 5->6 7 523894-5238a7 6->7 8 52387e-523892 6->8 13 5238a8-5238aa 7->13 8->13 10->6 13->2 14 5238b0-5238b6 13->14 15 52393e 14->15 16 5238bc-5238c8 14->16 15->2 17 5238da-5238e5 16->17 18 5238ca-5238ce 16->18 17->2 20 5238e7-5238f2 call 5236d8 17->20 18->17 20->2 23 5238f4-5238f8 20->23 23->2 24 5238fa-523905 call 523590 23->24 24->2 27 523907-523912 call 5235e0 24->27 27->2 30 523914-52391f call 523548 27->30 30->2 33 523921-52392c 30->33 35 523936-52393c 33->35 36 52392e-523934 DispatchMessageW 33->36 35->2 36->2
                                                                                                                            APIs
                                                                                                                            • DispatchMessageW.USER32(?,?,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 0052392F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.0000000000523000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00523000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_523000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DispatchMessage
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2061451462-0
                                                                                                                            • Opcode ID: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                            • Instruction ID: 52ae4a1873836f41eee63013750035cd518fa92084125bcd4eed82b9625302c8
                                                                                                                            • Opcode Fuzzy Hash: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                            • Instruction Fuzzy Hash: 60212C3034536035EB313E292C46B7E9F996FD3F54F244419F6819B1C2DBED9E864222
                                                                                                                            Function 00755E68 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 38 755e68-755ea8 CreateFileW 40 755eb1-755ec5 38->40 41 755eaa-755eaf 38->41 43 755eca-755ee2 40->43 44 755f21-755f24 41->44 46 755ee4-755ee8 43->46 47 755ef3 43->47 46->47 48 755eea-755eed 46->48 47->44 48->47
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00755F28,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00755F1A), ref: 00755E9C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.0000000000755000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00755000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_755000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: e09d1b4dcc55e4a8821850ab6594a7f38507933300be0cc46f9e6db5703e5346
                                                                                                                            • Instruction ID: 5afaae34faaf1c705cf5e375653039c0642699b5a3da3485a7ae80c28356caed
                                                                                                                            • Opcode Fuzzy Hash: e09d1b4dcc55e4a8821850ab6594a7f38507933300be0cc46f9e6db5703e5346
                                                                                                                            • Instruction Fuzzy Hash: C3112570644704FFE7218BA4CC27F9C7BB4EB09B21F6005A4F910AA6D0CAB92E55CA15
                                                                                                                            Function 0027AF00 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 49 27af00-27af1b 50 27af1d-27af29 49->50 51 27af2b-27af39 49->51 54 27af3c-27af63 CreateThread 50->54 51->54 55 27af65 54->55 56 27af6c-27af74 54->56 55->56
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,?,Function_00000EC8,00000000,?,?), ref: 0027AF5A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.000000000027A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0027A000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_27a000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: fe8a33cebc8c92a380c8697ef05c8e1bc62a9fa4f25d74bcd650f430988c90f2
                                                                                                                            • Instruction ID: faeecb9373fde2f1d635931d3f33a7207c03c07ecf812608a4647d792b3c9def
                                                                                                                            • Opcode Fuzzy Hash: fe8a33cebc8c92a380c8697ef05c8e1bc62a9fa4f25d74bcd650f430988c90f2
                                                                                                                            • Instruction Fuzzy Hash: 86018F72B15214AFC710DF9DA884A8EB7ECAB58361F10C026F90DD7381D7B19D118BA2
                                                                                                                            Function 0027AEFE Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 57 27aefe-27af1b 59 27af1d-27af29 57->59 60 27af2b-27af39 57->60 63 27af3c-27af63 CreateThread 59->63 60->63 64 27af65 63->64 65 27af6c-27af74 63->65 64->65
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(?,?,Function_00000EC8,00000000,?,?), ref: 0027AF5A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.000000000027A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0027A000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_27a000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: f11cdf8d0e5d488874c0a3db36a20a35a0724e05afeffcdfd2025fbf93f31f9a
                                                                                                                            • Instruction ID: ed0cd59a5f02b107bc41242f135324381dea938343c1ca34406a21de05373ff0
                                                                                                                            • Opcode Fuzzy Hash: f11cdf8d0e5d488874c0a3db36a20a35a0724e05afeffcdfd2025fbf93f31f9a
                                                                                                                            • Instruction Fuzzy Hash: 17F08C72B15214AFC710DE9CAC84A9EB7EC9B58361F108026F909D7381D7719D118BA5
                                                                                                                            Function 005234A0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 66 5234a0-5234b4 68 5234b6-5234bd 66->68 69 5234f9-5234fc 66->69 70 5234bf-5234c6 68->70 71 5234ec-5234f2 68->71 72 5234d8-5234e6 70->72 73 5234c8-5234d6 SetWindowTextW 70->73 71->69 72->71 73->71
                                                                                                                            APIs
                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 005234D1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.0000000000523000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00523000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_523000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: TextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 530164218-0
                                                                                                                            • Opcode ID: 5b58df08531e4418637031bca7f8fba0baf3ada1352e8ad249d58f9a7360abaa
                                                                                                                            • Instruction ID: 10c51f47c74dbca1355e77b387bc3bf0322210fd7626095a9bd7b56104c0f949
                                                                                                                            • Opcode Fuzzy Hash: 5b58df08531e4418637031bca7f8fba0baf3ada1352e8ad249d58f9a7360abaa
                                                                                                                            • Instruction Fuzzy Hash: 0CF082243001201ADB13B6189499BAA2A986F86704F0C40B5FE0C9F287C7794E158BA1
                                                                                                                            Function 0027AF78 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 75 27af78-27af82 76 27af84 75->76 77 27af8c-27af93 RtlExitUserThread 75->77 76->77
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.000000000027A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0027A000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_27a000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424019298-0
                                                                                                                            • Opcode ID: 0874561ced8d93e14af6fad089d2494e0d5bff521cb75fe5f7b3a64a8ab32e61
                                                                                                                            • Instruction ID: ae2f3fc4989de246139aa78859ace96b3772aed600fcb860c29d4409bd304117
                                                                                                                            • Opcode Fuzzy Hash: 0874561ced8d93e14af6fad089d2494e0d5bff521cb75fe5f7b3a64a8ab32e61
                                                                                                                            • Instruction Fuzzy Hash: 35C04CA121131047C3206BB49C8971973586748211F14D465F10B96162C7BD5455C611
                                                                                                                            Function 00587F48 Relevance: .1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 149 587f48-587f9b 150 587fa3-587fad 149->150 152 587faf-587fbc 150->152 153 587fc1-587fef 150->153 152->153
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.0000000000587000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00587000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_587000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8b5e325e5c97d53f67f61556417d0a5a74f29eb1524d56201cb7ececd52d6865
                                                                                                                            • Instruction ID: ff59c421346c434f33800cefa51ee525c69ed86bb3ba977f2bcdec1760cc1be7
                                                                                                                            • Opcode Fuzzy Hash: 8b5e325e5c97d53f67f61556417d0a5a74f29eb1524d56201cb7ececd52d6865
                                                                                                                            • Instruction Fuzzy Hash: 47111434600204EFD711DF68C959F69BBE9FB0A700FA244A0E804AB662CB71AD14EB21
                                                                                                                            Function 005878B8 Relevance: .0, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2963219958.0000000000587000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00587000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_587000_rfusclient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                            • Instruction ID: b6cd87d499dbd12ec14316d8ba5d6236acf74b297e5827cf7f0ce148dadcc8b7
                                                                                                                            • Opcode Fuzzy Hash: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                            • Instruction Fuzzy Hash: 7FB0123200010C778F023E81FC01C8A7F1DAB10360B00C011FA080C52287339570A798